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Executive  Summary 


Traditional  insider  threat  management  involves  practices  that  constrain  users,  monitor  their  be¬ 
havior,  and  detect  and  punish  misbehavior.  Such  negative  incentives  attempt  to  force  employees 
to  act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative 
unintended  consequences  that  exacerbate  the  threat. 

Positive  incentives  can  complement  traditional  practices  by  encouraging  employees  to  act  in  the 
interests  of  the  organization,  especially  through  intrinsic  motivators.  Intrinsic  motivation  comes 
from  a  person’s  internal  sense  of  fulfillment  or  satisfaction,  rather  than  external  rewards  or  pun¬ 
ishments.  Preliminary  evidence  suggests  that  positive  incentives  can  deter  insider  misbehavior  in 
a  constructive  way  from  the  outset  of  the  employee-organization  relationship  with  fewer  dysfunc¬ 
tional  consequences  than  traditional  practices  alone. 

This  report  describes  the  preliminary  results  of  an  internally  funded  exploratory  research  project 
at  the  Software  Engineering  Institute  (SEI)  to  assess  the  potential  for  positive  incentives  to  com¬ 
plement  traditional  practices  in  a  way  that  provides  a  better  balance  for  organizations’  insider 
threat  programs. 

We  believe  there  are  three  dimensions  along  which  we  can  align  an  employee’s  intrinsic  incen¬ 
tives  with  their  employer’s  interests.  These  dimensions  center  on  the  employee’s  job,  their  organi¬ 
zation,  and  the  people  they  work  with: 

•  Job  Engagement  involves  the  extent  to  which  employees  are  excited  by  and  absorbed  in  their 
work.  Strengths-based  management  and  professional  development  are  practices  known  to 
boost  employee  job  engagement.  Strengths-based  management  focuses  primarily  on  identify¬ 
ing  and  using  an  individual’s  personal  and  professional  strengths  in  managing  both  their  ca¬ 
reer  and  job  performance  [Buckingham  2009]. 

•  Perceived  Organizational  Support  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emo- 
tional  needs,  and  treats  them  fairly.  Here,  programs  promoting  flexibility,  work/family  bal¬ 
ance,  employee  assistance,  alignment  of  compensation  with  industry  benchmarks,  and 
constructive  supervision  that  attends  to  employee  needs  can  boost  perceived  organizational 
support. 

•  Connectedness  at  Work  involves  the  extent  to  which  employees  trust,  feel  close  to,  and 
want  to  interact  with  the  people  with  whom  they  work.  Practices  involving  team  building  and 
job  rotation  can  boost  employees’  sense  of  interpersonal  connectedness. 

There  has  been  extensive  previous  research  in  these  areas  that  demonstrate  their  value  in  terms  of 
employee  satisfaction,  commitment,  performance,  and  retention.  In  addition,  a  related  body  of  re¬ 
search  exists  to  help  determine  their  value  for  reducing  counterproductive  work  behaviors  gener¬ 
ally.  The  SEI’s  research  aims  to  bolster  the  evidence  that  interest-alignment  practices  reduce  the 
more  egregious  forms  of  insider  threat,  such  as  employee  theft  and  sabotage. 


SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


v 


In  summary,  this  report  describes  our  research  progress  in  several  areas: 


•  Analyzing  several  high-profile  insider  incidents  for  the  levels  of  job  engagement,  coworker 
connectedness,  and  perceived  organization  support  evident  during  the  incident  timeline.  Per¬ 
ceived  organizational  support  was  found  to  be  low,  but  not  necessarily  in  the  extreme.  These 
incident  case  studies  suggested  focusing  on  organizational  support  in  our  survey  research. 

•  Conducting  a  survey  of  individuals  responsible  for  establishing  insider  threat  programs  in 
organizations.  Supporting  and  extending  previous  research,  we  found  a  negative  correlation 
between  perceived  organizational  support  and  intentional  (primarily  malicious)  counterpro¬ 
ductive  work  behaviors.  A  somewhat  weaker  negative  correlation  was  also  found  between  or¬ 
ganizational  justice  and  these  behaviors.  The  relationships  were  found  to  be  statistically  sig¬ 
nificant  at  the  95%  confidence  level.  However,  the  exploratory  nature  of  our  initial  analysis 
does  not  permit  us  to  generalize  this  relationship  to  the  larger  population  of  organizations. 

•  Developing  a  simulation  model  that  illustrates  the  value  of  positive  incentives.  We  developed 
a  system  dynamics  model  based  on  published  data  and  simple  (but  arguable)  assumptions 
showing  how  positive,  intrinsic  incentives  can  increase  a  program’s  operational  efficiency 
with  reduced  investigative  costs  and  fewer  incidents  involving  disgruntled  or  exploitive  insid¬ 
ers.  Our  incident  analysis  and  survey  work  provided  validation  of  the  simulation  model  struc¬ 
ture.  We  will  continue  to  calibrate  our  model  based  on  future  research  and  expect  to  demon¬ 
strate  similar  benefits  as  our  work  progresses. 

Our  research  raises  many  questions  about  how  an  insider  threat  program  can  or  should  incorporate 
positive  incentives  that  improve  employees’  perceptions  of  support  by  the  organization.  We  elab¬ 
orate  important  principles  and  practice  areas,  but  this  is  just  a  first  step.  Our  future  work  will  fo¬ 
cus  on  what  we  believe  to  be  the  key  to  a  successful  insider  threat  program:  identifying  the  mix  of 
positive  and  negative  incentives  that  creates  a  net  positive  for  employees. 

The  challenge  is  that  people  respond  to  negative  incentives  differently  depending  on  the  culture  of 
the  organization,  the  nature  of  their  job,  and  their  personality.  Fortunately,  existing  theory  pro¬ 
vides  insight  into  these  differences  and  can  illuminate  a  means  for  building  a  general  transition 
process  to  take  an  organization  from  its  current  state  to  one  that  has  a  balance  of  positive  and  neg¬ 
ative  incentives  that  promotes  employee  satisfaction,  performance,  and  retention  while  also  being 
more  effective  at  reducing  the  insider  threat. 
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Abstract 


Traditional  insider  threat  practices  involve  negative  incentives  that  attempt  to  force  employees  to 
act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative  un¬ 
intended  consequences  that  exacerbate  insider  threats.  Positive  incentives  that  attempt  to  encour¬ 
age  employees  to  act  in  the  interests  of  the  organization  can  complement  negative  incentives.  In 
our  research,  we  identified  and  analyzed  three  avenues  for  aligning  the  interests  of  the  employee 
and  the  organization:  job  engagement,  perceived  organizational  support,  and  connectedness  with 
coworkers.  Based  on  an  analysis  of  three  insider  threat  incidents  and  a  survey  of  organizations,  we 
developed  a  model  of  the  disgruntled  insider  threat  problem  as  it  relates  to  dissatisfaction  with  the 
employing  organization  and  the  potential  benefits  associated  with  positive,  intrinsic  incentives 
that  improve  perceived  organizational  support  and  justice.  To  help  organizations  understand  their 
options  for  using  positive  incentives  as  part  of  their  insider  threat  program,  we  outline  workforce 
management  practices  to  improve  employees’  feelings  of  being  supported  by  the  organization. 
This  research  is  a  first  step  toward  creating  a  well-grounded  foundation  on  which  insider  threat 
programs  can  establish  a  more  balanced  and  effective  means  of  reducing  insider  threats,  one  that 
is  a  net  positive  for  employees. 
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1  Introduction 


Traditional  guidance  regarding  how  to  defend  against  insider  threats  focuses  primarily  on  nega¬ 
tive  incentives,  which  constrain  employee  behavior  or  detect  and  punish  misbehavior.  These  tradi¬ 
tional  security  practices  are  necessary  to  reduce  insider  threats,  but  their  excessive  use  can  result 
in  counterproductive  constraints  on  employees’  actions,  overreliance  on  after-the-fact  responses 
that  fail  to  prevent  damage,  and  alienation  of  staff  that  can  exacerbate  insider  threats  [Moore 
2015].  Fortunately,  traditional  practices  are  only  part  of  the  suite  of  management  practices  that  or¬ 
ganizations  have  available  to  reduce  insider  threats. 

Figure  1  provides  an  abstract  view  of  the  spectrum  of  insider  threat  countermeasures.  The  bulk  of 
research  has  focused  on  detection  of  and  response  to  either  criminal  or  at-risk  behaviors.  Security 
policies  and  technical  measures  provide  negative  incentives  that  are  intended  to  deter  the  threats. 

Positive  incentives  can  complement  traditional  practices  by  encouraging  employees  to  act  in  the 
interests  of  the  organization  either  extrinsically  (e.g.,  through  rewards  for  following  security  poli¬ 
cies)  or  intrinsically  by  fostering  a  sense  of  commitment  to  the  organization,  the  work,  and 
coworkers.  Preliminary  evidence  suggests  that  positive,  intrinsic  incentives  can  deter  insider  mis¬ 
behavior  in  a  constructive  way  from  the  outset  of  the  employee-organization  relationship.  In  com¬ 
bination  with  traditional  practices,  positive  incentives  offer  the  possibility  of  a  more  balanced  and 
constructive  organizational  approach  to  reducing  the  insider  threat  with  fewer  dysfunctional  con¬ 
sequences. 


For  U.S.  Government  organizations  and  their  contractors  that  handle  classified  information,  Exec¬ 
utive  Order  13587  requires  establishing  formal  insider  threat  programs.  A  few  forward-thinking 
sources  make  the  case  that  positive,  intrinsic  incentives  are  a  significant  missing  aspect  of  insider 
threat  defense  [Bunn  2014,  DSS  2016,  CPNI 2014,  Theoharidou  2005,  Sarbin  1994]. 
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This  report  describes  the  results  of  a  research  effort  to  establish  and  model  the  influence  of  posi¬ 
tive  incentives  on  reducing  insider  threats.  With  organizations  recognizing  the  downsides  of  nega¬ 
tive  incentives,  the  need  for  this  research  has  never  been  more  pressing  as  a  means  to  prevent  em¬ 
ployee  alienation  that  can  spur  insider  threats,  and  as  a  complement  to  their  organizational 
detection  and  response  capability. 

1 .1  Research  Context 

The  subject  of  our  research  intersects  issues  important  to  both  human  resources  (HR)  and  cyberse¬ 
curity  professionals.  Figure  2  provides  an  overview  of  the  context  of  our  research  in  related  re¬ 
search,  development,  and  practice.  In  general,  the  top  left  provides  a  two-dimensional  partition 
that  focuses  on  the  HR  domain,  while  the  bottom  right  provides  a  two-dimensional  partition  that 
focuses  on  the  cybersecurity  domain.  Our  research  is  at  the  nexus  of  these  two  domains  with  a  fo¬ 
cus  on  early-stage  disincentivization  of  insider  threats  using  positive,  intrinsic  incentives  that  ben¬ 
efit  both  the  employee  and  the  organization. 


Our  Focus 


Negative 
Incentives ' 


Counterproductivity, 

Security  Threats 

★ - 

Traditional  Studies  Relating 
IT  Security  Employee  Engagement  to 

Measures  Fewer  Counterproductive 
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Late  Stage, 

Detection  and  Response 


Figure  2:  Research  Landscape 


The  partition  in  the  top  left  of  Figure  2  breaks  the  space  by  the  practice  type  and  practice  target. 
Along  the  X  axis,  practice  type  is  split  into  the  following: 

•  Negative  incentive-based  practices  ( negative  incentives,  for  short):  workforce  management 
practices  that  attempt  to  force  employees  to  act  in  the  interests  of  the  organization 

•  Positive  incentive-based  practices  (positive  incentives,  for  short):  workforce  management 
practices  that  attempt  to  attract  employees  to  act  in  the  interests  of  the  organization 

Along  the  Y  axis,  the  target  of  the  practice  addresses  whether  the  primary  intent  is  improving  em¬ 
ployee  productivity  or  performance  versus  decreasing  counterproductivity  or  security  threats. 
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Negative  incentives  embody  the  traditional  information  technology  (IT)  security  approach  of  con¬ 
straining  and  detective  policies  and  technologies.  They  are  also  the  core  of  old-school  HR  practice 
that  focused  on  rules  for  proper  employee  behavior  and  punishment  for  misbehavior. 

While  a  balanced  approach  focuses  on  a  combination  of  positive  and  negative  incentives,  positive 
incentives  have  been  studied  extensively  in  the  modern  era  [Levy  2013,  Smither  2009].  By  far, 
most  of  this  research  focuses  on  the  benefits  of  this  approach  for  improved  productivity,  perfor¬ 
mance,  and  retention,  including  relatively  recent  focus  in  an  area  called  “positive  psychology” 
[Seligman  2012],  While  much  of  the  recent  practice -based  literature  focuses  on  a  concept  called 
“work  engagement,”  researchers  have  noted  that  this  concept  is  actually  a  conflation  of  a  lot  of 
previously  established  social  science  theories  and  domains  of  research  [Meyer  2013]. 

We  believe  there  are  three  dimensions  along  which  we  can  align  an  employee’s  intrinsic  incen¬ 
tives  with  their  employer’s  interests.  These  dimensions  are  centered  on  the  employee’s  job ,  their 
organization,  and  the  people  they  works  with: 

•  Job  Engagement  involves  the  extent  to  which  employees  are  excited  by  and  absorbed  in  their 
work.  Strengths-based  management1  and  professional  development  are  practices  known  to 
boost  employee  job  engagement.  Measurement  scales  for  employee  engagement  have  a  con¬ 
siderable  history,  including  use  by  both  the  U.S.  Government  [OPM  2015]  and  academic  re¬ 
searchers  [Schaufeli  2004a]. 

•  Perceived  Organizational  Support  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emo- 
tional  needs,  and  treats  them  fairly.  Here,  programs  promoting  flexibility,  work/family  bal¬ 
ance,  employee  assistance,  alignment  of  compensation  with  industry  benchmarks,  and 
constructive  supervision  that  attends  to  employee  needs  can  boost  perceived  organizational 
support.  Extensively  validated  measures  have  been  widely  used  since  the  1980s  [Eisenberger 
1986]  culminating  in  a  seminal  publication  that  summarizes  that  research  in  book  form  [Ei¬ 
senberger  2011]. 

•  Connectedness  at  Work  involves  the  extent  to  which  employees  trust,  feel  close  to,  and 
want  to  interact  with  the  people  with  whom  they  work.  Practices  involving  team  building  and 
job  rotation  can  boost  employees’  sense  of  interpersonal  connectedness.  One  important  scale 
is  the  one  associated  with  Self  Determination  Theory  (SDT),  in  particular  the  relatedness  as¬ 
pects  of  the  Basic  Psychological  Needs  at  Work  Scale  [Brien  2012],  Another  scale  is  associ¬ 
ated  with  the  Theory  of  Belongingness  [Malone  2012], 

Although  there  has  been  extensive  research  in  these  areas  that  demonstrate  their  value  in  terms  of 
employee  satisfaction,  commitment,  performance,  and  retention  [Levy  2013],  a  related  body  of 
research  exists  that  helps  to  determine  their  value  for  reducing  insider  threats. 

The  partition  in  the  bottom  right  portion  of  Figure  2  breaks  the  space  into  malicious  threat  type 
and  stage  of  mitigation.  While  we  do  not  consider  unintentional  threats,  we  represent  the  insider 
(employee)  threat  on  the  right  and  the  external  threat  on  the  left,  including  non-insiders  that  break 


Strengths-based  management  focuses  primarily  on  identifying  and  using  an  individual’s  personal  and  profes¬ 
sional  strengths  in  directing  their  career  and  managing  their  job  performance  [Buckingham  2009]. 
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into  an  organization’s  systems  and  masquerade  as  an  authorized  insider.  Along  the  Y  axis  we  in¬ 
clude  everything  from  early-stage  formation  of  threat  actor  motivations  to  late-stage  detection  and 
response  to  harmful  behaviors. 

The  bulk  of  cybersecurity  research,  development,  and  practice  covers  the  external  threat  on  the 
left  side  of  the  partition,  especially  in  the  later  stage.  Relatively  little  research  has  been  conducted 
on  early-stage  mitigation  of  the  external  threat,  as  might  be  investigated  using  soft-power  ap¬ 
proaches  to  cybersecurity  [Nye  201 1].  While  traditional  insider  threat  detection  and  respond  ap¬ 
proaches  focus  on  later  stage  activities  [Salem  2008],  our  research  focuses  on  the  early-stage  mo¬ 
tivation  formation.  And  rather  than  focusing  on  early-stage  detection  of  at-risk  behaviors,  such  as 
in  [Brown  2013,  Brdiczka  2012,  Greitzer  2010],  we  focus  on  the  prevention  of  employee  aliena¬ 
tion  by  fostering  positive  attitudes  about  the  organization  and  the  employee’s  work  experience. 

The  strongest  connection  in  the  literature  to  our  research  are  studies  that  show  that  positive  em¬ 
ployee  attitudes  are  linked  to  reduced  counterproductive  work  behaviors.  Counterproductive  work 
behaviors  include  malicious  insider  threat  behaviors  as  well  as  other  less  egregious,  but  still  coun¬ 
terproductive,  behaviors.  A  well-established  body  of  research  on  psychological  contract  that  em¬ 
ployees  (often  implicitly)  have  with  their  organizations  can,  if  breached,  serve  as  the  reason  for 
negative  attitudes  and  behaviors  by  employees  [Rousseau  1995,  Restubog  2015]. 

Research  on  psychological  contract  breach  aligns  with  modeling  research  conducted  at  the  SEI 
that  shows  patterns  of  insider  IT  sabotage  rooted  in  the  insider’s  unmet  expectations  [Cappelli 
2012].  Generally,  counterproductive  work  behaviors  are  found  to  be  negatively  correlated  with 
the  following: 

•  job  engagement  [Sulea  2012,  Ariani  2013] 

•  connectedness  at  work  [Sulea  2012] 

•  perceived  organizational  support  [Bordia  2008,  Sulea  2012,  Shoss  2013] 

•  organizational  citizenship  behavior  [Ariani  2013] 

•  conscientiousness  [Shoss  2013] 

•  employee  empowerment  [Afsheen  2013] 

Especially  significant  is  that  perceived  organizational  support  is  strongly  correlated  with  organiza¬ 
tional  commitment  [Rhoades  2001]. 

1 .2  Overview  of  the  Report 

Our  research  explores  the  role  of  positive,  intrinsic  incentives  on  insider  threat  behaviors  through 
incident  analysis  and  an  organizational  survey. 

Section  2  describes  the  analysis  of  three  incidents  of  unauthorized  disclosure  of  classified  infor¬ 
mation  to  better  understand  the  potential  role  of  job  engagement,  perceived  organizational  sup¬ 
port,  and  coworker  connectedness  in  the  context  of  the  insider’s  decision  to  disclose.  Based  on  the 
need  to  narrow  the  organizational  survey,  the  results  of  our  admittedly  limited  incident  analysis, 
and  some  supporting  literature,  we  focus  our  survey  work  on  perceived  organizational  support  and 
related  issues  of  organizational  justice. 
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Section  3  describes  the  survey  methodology  employed  and  the  analysis  of  the  results  of  twenty- 
three  respondents. 

Section  4  models  the  disgruntled  insider  threat  problem  as  it  relates  to  dissatisfaction  with  the  em¬ 
ploying  organization  and  the  potential  benefits  associated  with  positive,  intrinsic  incentives  that 
improve  perceived  organizational  support  and  justice. 

As  a  starting  point  for  organizations  to  understand  their  options  for  using  positive  incentives  as 
part  of  their  insider  threat  programs,  Section  5  provides  an  outline  of  workforce  management 
practices  based  on  positive  incentives. 

Finally,  Section  6  summarizes  our  results  and  describes  avenues  for  future  work.  The  research  de¬ 
scribed  here  is  a  first  step  toward  creating  a  well-grounded  foundation  on  which  insider  threat  pro¬ 
grams  can  establish  a  more  balanced  means  for  insider  threat  reduction. 


SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


5 


2  Incident  Analysis 


The  purpose  of  the  incident  analysis  described  in  this  section  is  to  help  answer  this  question:  To 
what  extent  are  the  interests  of  information  leakers  aligned  with  the  interests  of  the  organization? 
The  previously  described  breakdown  into  three  dimensions — job,  organization,  and  people — sug¬ 
gests  focusing  on  the  following  three  questions: 

1 .  Are  information  leakers  disengaged  in  their  job? 

2.  Do  information  leakers  perceive  their  organizations  to  be  supportive? 

3.  Are  information  leakers  disconnected  from  their  coworkers? 

This  section  describes  our  approach  to  analyzing  information  leakage  incidents  and  preliminary 
results  associated  with  analyzing  three  such  incidents.  We  answer  these  questions  for  each  inci¬ 
dent  prior  to  the  start  of  information  leaking  and  while  information  leaking  occurred. 

2.1  Methodology 

Our  research  methodology  involves  studying  multiple  incidents  of  unauthorized  disclosure  of 
classified  information.  We  use  only  public,  non-sensitive  sources  for  each  incident  and  code  the 
information  about  each  incident  so  we  can  make  results  from  our  research  generally  accessible  to 
other  researchers.  As  shown  in  Figure  3,  we  code  identified  incidents  along  a  five-point  scale, 
ranging  from  -2  to  +2,  for  each  of  the  three  dimensions — job  engagement,  perceived  organiza¬ 
tional  support,  and  connectedness  with  coworkers. 
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Figure  3:  Overview  of  the  Five-Point  Scales  for  Interest  Alignment 


As  might  be  expected,  the  high  end  of  the  scale  (+2)  indicates  the  most  positive  assessment  of  the 
dimension,  whereas  the  low  end  of  the  scale  (-2)  indicates  the  most  negative  assessment.  The  mid¬ 
dle  point  on  the  scale  (0)  indicates  a  rather  neutral  assessment,  although  this  assessment  does  not 
indicate  a  desired  situation  for  either  the  organization  or  the  person  involved.  The  points  between 
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the  neutral  point  and  the  high  and  low  ends  (+1  and  -1,  respectively)  indicate  exactly  that — an  as¬ 
sessment  that  is  less  extreme  than  the  end  point,  but  more  extreme  than  the  neutral  point. 

To  provide  coders  with  a  greater  sense  of  the  points  along  the  scale,  we  provided  an  example  at 
each  point  and  provided  previously  developed  survey  questions  used  in  established  assessments 
for  each  dimension.  The  final  scales  used  for  each  dimension — with  examples  and  clarifying 
questions — are  elaborated  in  Appendix  A. 

While  the  information  sources  for  each  incident  are  usually  not  rich  enough  to  answer  the  estab¬ 
lished  survey  questions  individually,  they  can  help  to  get  a  sense  of  where  along  the  five -point 
scale  the  information  that  we  do  have  puts  the  insider’s  behaviors  and  attitudes.  Admittedly,  this 
activity  is  relatively  inexact.  However,  we  can  increase  the  accuracy  and  consistency  of  the  cod¬ 
ing  process  by  requiring  documentation  of  the  coder’s  justification  for  their  rating  on  the  scale  for 
each  dimension.  In  addition,  since  the  insiders’  ratings  may  vary  over  time,  we  provide  ratings 
along  the  five  points  at  each  of  three  contiguous  time  periods  during  the  incident  lifecycle.  This 
range  of  ratings  provides  a  sense  of  the  evolution  of  the  subjects’  attitudes  and  behaviors  over 
time. 

2.2  Incident  Analysis  Results 

We  rated  three  incidents  where  unauthorized  disclosure  of  national  security  information  took 
place.2  Figure  4  provides  an  overview  of  our  analysis  of  each  of  the  three  incidents  of  unauthor¬ 
ized  disclosure  rated  along  the  five-point  scale  from  -2  to  +2.  Each  of  the  three  dimensions  are 
represented  as  separate  graphs,  and  each  of  the  three  time  periods  are  indicated.  The  raters  for 
each  case  also  provided  their  assessment  of  the  overall  score  for  each  dimension. 

As  shown,  Perceived  Organizational  Support  was  negative  in  all  three  incidents  while  Job  En¬ 
gagement  was  negative  in  only  two  of  the  three  (Case2  and  Case3)  and  Connectedness  at  Work 
was  negative  in  only  one  of  the  three  (Case2). 

This  finding  was  a  bit  suiprising.  As  we  looked  at  the  incidents,  it  seemed  like  the  individual  in 
Casel  could  be  fairly  engaged  in  their  job  while  conducting  activities  counter  to  the  organization. 
Even  more  surprising,  the  individuals  in  Case2  and  Case3  maintained  fairly  good  relations  with 
their  coworkers  while  engaging  in  a  betrayal  of  their  organization  and  country. 

While  it  is  impossible  to  draw  general  conclusions  from  this  small  number  of  cases,  the  results  do 
suggest  that  perceived  organizational  support  may  be  more  central  to  our  hypothesis  that  positive 
incentives  can  reduce  insider  threats.  Of  the  three  dimensions  that  we  studied,  the  strongest  nega¬ 
tive  correlation  with  counterproductive  work  behaviors  found  in  the  literature  was  also  linked  to 
perceived  organizational  support.  This  combination  of  evidence  argues  in  favor  of  focusing  on 
that  dimension  in  our  survey  work,  especially  since  we  needed  to  limit  the  number  of  questions  in 
our  survey  to  ensure  an  adequate  response  rate. 


This  report  does  not  identify  the  individuals  rated. 
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The  last  aspect  of  our  analysis  was  to  evaluate  the  attitudes  of  the  insider  threat  actors  as  they 
changed  over  time.  There  was  some  fluctuation  over  time  in  all  three  cases,  but  there  was  a  defi¬ 
nite  trend  downward  on  all  three  dimensions  through  the  early,  middle,  and  late  periods  of  the  in¬ 
cidents.  This  trend  becomes  more  apparent  in  Figure  5,  which  shows  the  sum  of  each  dimension 
across  the  three  cases. 
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early  middle  late 


Figure  5:  Analysis  Rollup  Over  Time 
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3  Organizational  Survey 


The  goal  of  this  survey  was  to  understand  what  types  of  organizational  management  practices  mit¬ 
igate  the  frequency  of  cyber-related  workplace  theft  and  sabotage.  The  extensive  foundational  re¬ 
search  on  the  topic  of  workplace  aggression/crime  and  related  topics  was  hotly  pursued  from 
roughly  the  1960s  to  the  early  2000s.  This  corpus  of  work  evaluated  possible  antecedents  and 
consequences  of  workplace  aggression  and  crime  (called  “counterproductive  workforce  behav¬ 
iors”  or  “CWBs”);  however,  it’s  difficult  to  generalize  these  findings  to  the  digital  age  wherein 
different  machinations  of  theft  and  sabotage  have  evolved. 

Pre-digital  age  discoveries  might  be  unique  to  a  particular  time  period  or  generation  of  workers, 
which  we  call  a  “cohort  effect”  [Shadish  2002],  and  this  effect  poses  a  research  gap.  Because  the 
digital  age  engendered  workplace  surveillance,  performance  monitoring,  etc.  that  employees 
sometimes  maladapted  to  (loneliness,  paranoia,  isolation,  etc.),  we  are  cautious  to  infer  that  ante¬ 
cedents  to  cyber-related  workplace  aggression/crime  is  of  the  same  theoretical  framework  as  pre¬ 
digital  CWBs. 

Little,  if  any,  theoretical  research  has  compared  pre-digital  and  post-digital  CWBs  and  their  ante¬ 
cedents.  This  survey  work  attempts  to  understand  the  relationship  between  antecedents  discovered 
in  the  foundational  research  and  cyber-related  CWBs  or  CY-CWBs.  CY-CWBs  are  those  digital 
counterproductive  workplace  behaviors  that  are  deleterious  to  the  productivity  and  well-being  of 
fellow  employees  within  an  organization. 

3.1  Background 

“Psychometrics”  are  inventories  used  commercially  or  in  academia  to  measure  psychological  phe¬ 
nomenon  of  interest.  The  style  of  the  inventory  and  respective  theory  and  scoring  is  often  endemic 
to  a  particular  class  of  psychological  phenomenon  (cognitive  abilities,  behavioral  frequencies,  at¬ 
titudes,  etc.).  Most  psychometrics  are  designed  and  vetted  with  various  scripted  reliability  and  va¬ 
lidity  metrics.  It  is  common  practice  to  use  an  existing  psychometric  to  build  on  prior  research,  if 
that  inventory  fits  the  research  constraints.  Thus,  we  chose  psychometrics  to  measure  antecedents 
of  interest  but  generated  our  own  CY-CWBs  inventory. 

To  generate  CY-CWBs,  we  reviewed  prior  conceptual  and  theoretical  research  on  the  counterpro¬ 
ductive  workplace  behaviors  and  authored  new  cyber-related  questions  reflecting  each  dimension. 
We  evaluated  three  theoretical  frameworks  of  CWBs  and  related  constructs  and  chose  the  most 
comprehensive  framework,  which  was  Buss’s  1961  typology.  Each  of  the  40+  matrix  items  re¬ 
flected  Buss’  CWB  dimensionality;  however,  we  needed  to  choose  a  subset  of  matrix  items  for 
scoping  purposes. 

From  our  prior  SEI  insider  threat  research,  two  prominent  dimensions  emerged  from  the  case 
studies — sabotage  and  theft — and  those  became  the  two  CY-CWB  dimensions  of  interest.  Section 
3.2,  Method,  discusses  the  detailed  process  of  generating  CY-CWB  questionnaire  items. 
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The  antecedents  of  CWBs  are  well  documented  but  conceptually  disorganized.  One  of  the  most 
notable  antecedents  is  perceived  injustice,3  and  when  coupled  with  a  lack  of  perceived  organiza¬ 
tional  support,4  employee’s  report  a  reduced  sense  of  socio-emotional  and  intellectual  well-being. 
Other  antecedents  include  the  following: 

•  lack  of  supervisor  trust  [Konovsky  1994] 

•  low  levels  of  work  engagement  [Saks  2006,  Schaufeli  2004b,  Shantz  2014,  Sonnentag  2003] 

•  abusive  leadership  [Restubog  2011,  Shoss  2013] 

•  high  workload  [Schaufeli  2004b] 

•  supportive  organizational  climate  [Luthans  2008] 

•  lack  of  worker  autonomy  [Baard  2004,  Gagne  2005] 

Some  of  the  comorbid  emotional  states  include  the  following: 

•  anger  [Cropanzano  1989,  Westman  2001] 

•  aggression  [Bowling  2011,  Neuman  2005,  Penney5] 

•  negative  mood  in  general  [Bushman  2001,  De  Quervain  2004,  Penney5] 

•  emotional  exhaustion  [Krischer  2010] 

•  stress  [Vermunt  2005] 

You  may  be  overwhelmed  by  the  array  of  factors  and  no  less  relieved  to  know  that  the  list  above 
is  far  from  comprehensive.  A  few  meta-analytic  papers  [Dalai  2005,  Kurtessis  2015,  Rich  2010, 
Saks  2006,  Simpson  2009]  have  attempted  to  organize  these  factors  into  layers  of  antecedents  and 
consequences.  Two  meta-analytic  papers  [Dalai  2005,  Kurtessis  2015]  stress  the  importance  of 
perceived  organizational  justice  and  its  impact  on  perceived  organizational  support,  feelings  of 
job  satisfaction,  and  ultimately  the  frequency  of  counterproductive  workplace  behaviors.  Thus, 
justice,  support,  and  satisfaction  became  the  antecedents  of  interest  but  further  scoping  was 
needed. 

Systematically  paring  down  the  antecedents  list  is  required  to  minimize  the  question  load  on  the 
participant.  The  paring  down  process  we  used  is  multifaceted. 

First,  psychometric  quality  is  intimated  with  reliability  and  validity  coefficients  that  are  published 
in  the  foundational  survey  design  documentation  as  well  as  follow-on  validation  studies.  Our  liter¬ 
ature  review  effort  itemized  reliability  and  validity  coefficients  by  psychometric  name,  which  we 
used  in  selection. 

Second,  we  considered  psychometric  type  (e.g.,  metrics  for  cognitive  abilities,  knowledge,  atti¬ 
tudes,  behavioral  frequencies).  Since  we  cannot  interview  employees  who  committed  an  insider 
threat  behavior,  we  were  forced  to  ask  attitudinal  questions  (e.g.,  “Flow  often  do  you  believe  this 


3  [Aquino  2001 ,  Greenberg  1998,  Bolino  2015,  Colquitt  2001 ,  Dalai  2005,  Jermier  1994,  Krischer  2010,  Kurtessis 
2015,  Moorman  1998,  Saks  2006,  Skarlicki  1997,  Vermunt  2005,  Westman  2001] 

4  [Abas  2015,  Baard  2004,  Ferris  2009,  Gagne  2005,  Kurtessis  2015,  Moorman  1998,  Rhoades  2002,  Rhoades 
2001,  Saks  2006,  Shantz  2014,  Shore  1993,  Wayne  1997] 

5  Penney,  L.  M.;  Spector,  P.  E.;  Goh,  A.;  blunter,  E.  M.  &  Turnstall,  M.  A  motivational  analysis  of  counterproduc¬ 
tive  work  behavior  (CWB).  Un published  manuscript,  University  of  Flouston.  Flouston,  Texas.  2007. 
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behavior  occurs  across  the  organization?”)  of  employees  privy  to  cases  of  insider  threat.  An  attrib¬ 
ute  of  attitudinal  psychometrics  is  the  use  of  agreement  response  scales  for  each  question.  How¬ 
ever,  studies  rarely  publish  response  scale  formatting,  and  we  know  that  response  scale  formats 
bias  respondents  implicitly.  Thus,  our  team  documented  the  scale  formats  with  the  highest  re¬ 
sponse  bias.  Furthermore,  we  had  to  decide  whether  people  in  our  sampling  frame  could  speculate 
on  fellow  employee  behaviors,  experiences,  and  attitudes.  Speculation  is  uncertain,  so  to  reduce 
measurement  error,  we  included  ‘don’t  know’  and  ‘does  not  apply  to  me’  response  options. 

To  further  pare  down  psychometric  candidates,  we  also  considered  the  statistical  implications  of 
‘antecedents predicting  CWBs’  versus  ‘antecedents  explaining  CWBs’.  Given  our  non-general- 
izable  sampling  method  discussed  below,  ‘explanation’  was  more  important  than  ‘prediction’  and 
detailed  survey  questions  are  better  suited  for  explanatory  purposes;  whereas  predictive  invento¬ 
ries  comparatively  include  more  parsimonious  sets  of  generically  worded  items.  The  tradeoff  we 
faced  was  that  detailed  items  can  be  confusing  or  can  exhaust  study  participants,  lengthening  the 
time  to  complete  surveys  and  resulting  in  elevated  non-response  rates,  especially  when  no  fiscal 
incentives  are  used  to  counter  non-response. 

In  sum,  we  removed  job  satisfaction  from  our  antecedent  list  because  of  the  generic  item  wording. 
We  chose  the  36-item  Survey  of  Perceived  Organizational  Support  (SPOS)  because  of  the  detailed 
questions,  high  number  of  citations,  stable  factor  loading  across  studies  and  moderately  high  relia¬ 
bility  and  validity.  We  chose  the  organizational  justice  survey  [Moorman  1991]  because  it  was  the 
only  inventory  we  could  find  with  a  published  item  set.  We  generated  our  own  CY-CWB  items 
reflecting  cyber  theft  and  cyber  sabotage. 

This  is  an  exploratory  study  of  the  relationships  between  CY-CWBs,  organizational  support, 
and  organizational  justice.  Our  research  question  is 

To  what  extent  does  an  organization ’s  support  practices  and  typical  sentiment  of  organiza¬ 
tion  justice  relate  to  the  perceived  frequency  of  cyber  related  counter  productive  workplace 
behaviors  (CY-CWBs)  across  an  organization ? 

The  results  are  reported  at  the  aggregate  level. 

3.2  Method 

This  section  describes  the  survey  and  other  materials,  sampling  method,  and  procedures  used  to 
conduct  the  survey. 

3.2.1  Survey  and  Other  Materials 

This  section  first  describes  the  survey  logic  and  then  the  survey  design. 

The  impossible  gold  standard  of  survey  design  is  to  execute  a  matched  sample  of  employees  who 
committed  CY-CWBs  to  those  who  did  not  commit  them  within  the  same  organization.  We  would 
survey  and  measure  the  perceptions  of  both  samples  on  organizational  support  and  justice  that 
they  themselves  experienced. 
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However,  asking  participants  about  CY-CWBs  committed  has  two  prominent  problems: 

1 .  People  are  unwilling,  for  a  variety  of  reasons,  to  report  transgressions  honestly. 

2.  Some  transgressions  can  be  severe  enough  to  warrant  punishment,  so  disclosure  puts  these 
people  at  risk. 

To  relieve  the  burden  of  reporting  uncomfortable  events,  we  asked  insider  threat  professionals 
who  are  privy  to  the  frequency  and  types  of  cyber  insider  threat  cases  (those  who  commit  CY- 
CWBs),  to  estimate  the  frequency  of  CY-CWBs  occurrences  within  their  own  organization.  We 
then  asked  these  same  individuals  to  report  on  what  they  themselves  believed  to  be  the  cultural 
norm  with  respect  to  perceived  organizational  support  and  justice.  We  then  tried  to  find  a  relation¬ 
ship  between  beliefs  about  their  organization  and  beliefs  about  the  frequency  of  CY-CWBs.  One 
person  per  organization  responded. 

The  survey  was  built  from  two  existing  psychometric  inventories  (see  Appendix  A)  measuring 
perceived  organizational  support:  the  36-item  Survey  of  Perceived  Organizational  Support  or  the 
SPOS  [Eisenberger  1986]  and  the  20-item  perceived  organizational  justice  or  the  OJ  [Moorman 
1991].  Short  descriptions  of  these  two  inventories  are  included  below. 

Inventory  items  were  slightly  modified  to  use  the  third-person  perspective.  CY-CWB  items  were 
generated  to  reflect  cyber-related  theft  and  sabotage.  Due  to  resource  constraints,  we  could  not  pi¬ 
lot  test  the  CY-CWB  inventory,  conduct  factor  analytic  analyses  to  reduce  item  loads,  or  conduct 
reliability  and  validity  testing.  However,  we  did  conduct  three  cognitive  task  analyses  on  the  CY- 
CWBs  to  ensure  the  item  wording  reflected  the  dimension  intended. 

The  survey  had  six  sections: 

1 .  consent  form 

2.  survey  download 

3.  SPOS  inventory  (see  copies  of  the  inventories  in  Appendix  B) 

4.  OJ  inventory 

5.  CY-CWB  inventory 

6.  closing  comments 

Participants  were  not  allowed  to  advance  to  the  first  page  of  the  survey  until  they  provided  con¬ 
sent.  Because  we  recognize  the  sensitivity  of  the  topic  and  the  privacy  required  to  honestly  com¬ 
plete  the  study  unsurveilled,  the  next  section  included  an  option  to  allow  the  participant  to  down¬ 
load  a  PDF  copy  of  the  survey  to  mail  to  our  lab. 

We  then  asked  the  number  of  years  the  participant  worked  in  the  current  organization.  The  next 
part  of  this  section  included  basic  survey  instructions  followed  by  our  inventories  presented  in 
random  order.  Each  participant  had  a  different  order  of  inventories  and  also  a  different  ordering  of 
questions  within  each  page  of  the  inventory  (a  common  practice  to  reduce  the  impact  of  nuisance 
variables  emerging  from  question  ordering). 

In  the  closing  comments  section,  we  asked  participants  to  list  their  job  title  and  then  asked  for  rec¬ 
ommended  organizational  practices  that  they  believed  would  significantly  reduce  CY-CWBs.  The 
final  page  thanked  the  participant  for  their  assistance  and  no  fiscal  compensation  was  provided. 
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The  two  inventories  we  used  (the  third  we  created)  are  described  below: 


Perceived  Organizational  Support  (POS).  The  survey  of  perceived  organizational  support  (SPOS) 
[Eisenberger  1986]  was  based  on  Organizational  Support  Theory  and  Social  Exchange  Theory. 
The  SPOS  measures  the  positive  and  negative  perceived  orientation  the  employees  feels  the  or¬ 
ganization  takes  globally  with  respect  to  employee  contribution  and  welfare.  The  original  SPOS 
included  36  items  comprising  two  latent  variables,  then  was  reduced  to  17  items  and  2  factors  in 
the  short  version.  We  used  the  long  version  to  explore  relationships.  The  two  latent  variables  are  a 
valuation  of  the  employee’s  contribution  and  the  care  of  the  person’s  well-being.  Known  to  be 
high  in  internal  reliability,  the  survey  also  boasts,  to  date,  1923  citations  [Eisenberger  1986], 
which  details  the  derivation  and  validation  of  the  SPOS.  The  samples  used  to  derive  the  SPOS 
were  white  collar  workers  in  manufacturing,  credit  bureau  clerical  workers,  telephone  company 
line  workers,  law  firm  secretaries,  bookstore  bookkeepers  and  clerks,  postal  clerks,  financial  trust 
company  employees,  and  high  school  teachers.  Originally  used  to  predict  absenteeism,  the  SPOS 
is  widely  used  to  test  an  array  of  antecedents  to  and  consequences  of  perceived  organizational 
support. 

Organizational  Justice  (OJ).  This  scale  was  designed  to  be  a  parsimonious  measure  of  three  latent 
variables  of  justice:  distributive  justice,  interactional  justice,  and  procedural  justice.  Distributive 
justice  is  the  degree  to  which  rewards  are  allocated  in  an  equitable  manner  [Niehoff  1993].  Proce¬ 
dural  justice  is  the  “degree  to  which  job  decisions  included  mechanisms  that  insured  the  gathering 
of  accurate  and  unbiased  information,  employee  voice,  and  an  appeals  process”  [Niehoff  1993, 
pp.  537].  Interactional  justice  is  the  manner  in  which  an  employee  is  treated  during  typical  deci¬ 
sion  making  within  an  organization.  Twenty  items  were  placed  on  a  seven-point  agreement  scale. 
The  inventory  reports  reliabilities  for  all  three  dimensions  above  [Moorman  1991]. 

3.2.2  Sampling 

The  parameters  of  the  sampling  frame  included  the  following: 

1 .  must  be  at  least  1 8  years  old 

2.  must  be  employed  by  your  current  employer  for  at  least  one  year 

3.  must  possess  knowledge  of  employee  management  practices  across  the  organization 

4.  must  have  knowledge  of  the  insider  threat  cases  discovered  within  the  organization 

The  people  who  met  these  parameters  often  had  a  variety  of  job  titles  in  the  cybersecurity,  HR, 
and  legal  professions.  These  individuals  could  be  analysts,  chief  information  security  officers 
(CISOs),  chief  information  officers  (CIOs),  chief  human  resources  officers  (CHROs),  or  legal 
counsel.  Given  the  variability  of  background  professions  and  job  titles,  the  type  of  job  training  to 
prepare  them  for  insider  threat  work  is  moot.  We  have  no  data  on  the  level  of  education  of  these 
people  in  our  sampling  frame. 

We  have  reason  to  believe  that  this  population  is  fairly  rare  and  challenging  to  reach  with  optimal 
sampling  techniques  (random  sampling,  etc.).  Therefore,  we  used  a  non-probabilistic  snowball 
(perhaps  chained)  sampling  method. 

We  used  an  information  sharing  consortium  that,  through  monthly  teleconferences,  discusses 
challenges  facing  insider  threat  programs,  including  implementing  technical  monitoring,  obtaining 
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international  approval  to  operate,  and  building  a  new  program.  Over  90  organizations  from  a  vari¬ 
ety  of  different  sectors  (e.g.,  banking,  transportation)  are  a  part  of  this  consortium,  but  a  small  per¬ 
centage  of  those  organizational  representatives  attends  each  teleconference.  The  SEI’s  position  as 
trusted  participant  in  this  consortium  allowed  sampling  of  these  generally  hard-to-reach  partici¬ 
pants. 

We  have  no  way  of  discerning  how  many  people  from  each  organization  took  the  survey,  so  we 
anticipate  snowball  sampling.  Many  publications  [Biernacki  1981,  Magnani  2005,  Spreen  1992] 
contest  the  generalizability  of  snowball  sampling  methods  for  hard-to-reach  ‘special’  populations; 
‘special’  because  these  people  are  usually  impenetrable  to  outsiders,  so  response  rates  are  contin¬ 
gent  on  trusted  relationships  [Sudman  1986].  Snowball  sampling  is  a  non-probability  sampling 
method  making  it  impossible  for  generalizable  inference. 

3.2.3  Recruitment  Procedure 

All  participants  were  invited  verbally  during  a  weekly  Open  Source  Insider  Threat  information 
sharing  group  (OSIT)  consortium  call.  The  call  took  place  around  the  first  week  of  August,  2016, 
and  the  verbal  invitation  was  followed  by  an  email  invite  with  the  hyperlinks  to  the  survey  the 
same  day.  The  survey  was  available  to  participants  August  7-30,  2016.  Participants  reviewed  the 
consent  form  and  answered  survey  questions.  No  debriefing  was  conducted. 

3.2.4  Analysis  Procedure 

The  survey  instrument  was  designed  with  an  augmented  Likert  scale  of  5  scaled  responses  and  2 
additional  responses.  The  five  point  scale  ranged  from  “1  =  Strongly  Disagree”  to  “5  =  Strongly 
Agree.”  The  two  additional  responses  were  “I  don’t  know”  or  “Does  not  apply  to  me”. 

Due  to  the  limited  sample  size  of  our  survey  (23  valid  organizational  responses  for  55  questions), 
we  were  unable  to  analyze  the  Likert  scale  as  an  ordinal  scale  with  traditional  psychometric  tech¬ 
niques.  We  instead  made  the  following  three  assumptions.  Lirst,  we  assume  that  the  Likert  scale 
values  were  quantitative,  e.g.  the  difference  between  respondent  A’s  rating  of  a  1  and  a  2  is  pre¬ 
cisely  the  same  as  A’s  rating  difference  between  a  2  and  a  3,  and  so  on  for  all  categories,  all 
scales,  and  all  respondents.  Second,  we  assume  that  the  scale  is  reversible  such  that  questions  with 
negative  valence,  e.g.  POS  22:  The  organization  fails  to  appreciate  any  extra  effort  from  me.,  can 
be  recoded  to  match  the  positive  valence  questions  by  simply  reversing  the  five  point  scale.  Li- 
nally,  we  assume  that  the  average  of  a  respondent’s  answers  on  all  the  questions  on  a  given  scale 
form  a  consistent  estimate  of  the  respondent’s  position  on  that  scale,  e.g.  the  average  of  all  the 
POS  questions  is  a  consistent  estimate  of  the  respondents  true  POS  value. 

The  “I  don’t  know”,  “Does  not  apply  to  me”,  and  unanswered  questions  were  coded  as  missing. 
We  used  multiple  imputation  to  generate  5  plausible  values  for  every  missing  response.  We  used 
the  MICE  algorithm  [van  Buuren  2012]  as  implemented  in  the  mice  R  package  [van  Buuren  2011] 
with  the  random  forest  method  with  a  maximum  50  iterations.  Every  variable  was  included  in  the 
conditional  model  for  every  other  variable. 

Deming  regression  was  used  to  compare  the  organizational  averages  of  the  CWB  scale  against  the 
POS  and  OJ  scales.  The  a  priori  variance  ratios  were  estimated  across  all  5  of  the  multiple  imputa¬ 
tion  datasets  and  the  regression  was  calculated  for  each  individual  dataset  with  95%  bootstrap 
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confidence  intervals  calculated  on  the  slope  parameter  [DiCiccio  1996]  and  then  pooled  across  the 
multiple  imputations. 

3.3  Results 

A  survey  of  members  of  the  Open  Source  Insider  Threat  information  sharing  group  (OSIT) 
yielded  25  responses,  23  of  which  contained  information  about  the  frequency  of  counterproduc¬ 
tive  work  behaviors  in  the  organization.  Of  these  23  responses  only  22%  fully  answered  all  ques¬ 
tions. 

Rates  of  missingness  for  individual  questions  ranged  from  a  maximum  of  65%  missing  (one  ques¬ 
tion,  CWB  20:  Plagiarizing  a  co-worker)  to  a  minimum  of  0%  missing  (24  questions).  The  inter¬ 
quartile  range  of  questions  with  missing  data  spanned  9%  to  26%  missing. 

Exploratory  data  analysis  suggests  that  data  were  not  missing  at  random,  which  further  suggests 
that  our  multiple  imputation  approach  is  necessary  for  unbiased  estimation.  For  example,  the 
choice  of  a  respondent  to  answer  question  CWB  19:  Wiretapping  was  strongly  associated  with  the 
number  of  years  the  respondent  had  been  employed  at  the  organization  with  respondents  choosing 
“Don’t  Know”  or  leaving  the  question  blank  having  typically  5  years  fewer  experience  compared 
to  respondents  who  gave  a  non-missing  response. 

Figure  6  visualizes  the  negative  correlation  between  Perceived  Organizational  Support  and  Insider 
Misbehavior.  The  resulting  Deming  regression  estimate  of  the  slope  is  -1.04,  with  a  95%  confi¬ 
dence  interval  ranging  from  -2.71  to  -0.41.  Note  that  the  negative  association  is  statistically  signif¬ 
icant. 


Perceived  Organizational  Support 

Figure  6:  Negative  Correlation  Between  Perceived  Organizational  Support  and  Insider  Misbehavior 

Figure  7  visualizes  the  negative  correlation  between  Organizational  Justice  and  Insider  Misbehav¬ 
ior.  The  resulting  Deming  regression  estimate  of  the  slope  is  -0.36,  with  a  95%  confidence  inter¬ 
val  ranging  from  -0.78  to  -0.12.  Note  that  the  negative  association  is  statistically  significant. 
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Figure  7:  Negative  Correlation  Between  Organizational  Justice  and  Insider  Misbehavior 

The  results  above  make  it  clear  that  more  positive  employee  attitudes  concerning  organizational 
justice  and  support  correlate  with  lower  frequency  of  insider  misbehavior.  It  is  somewhat  surpris¬ 
ing  that  organizational  justice  is  less  negatively  correlated  than  perceived  organizational  support. 
One  might  expect  that  unfair  treatment  would  be  a  strong  reason  for  insider  misbehavior.  But  per¬ 
ceived  organizational  support  includes  aspects  of  fair  treatment  as  part  of  the  standard  instrument 
for  measurement.  But  it  also  includes  other  aspects  such  as  effective  communication  and  supervi¬ 
sor  supportiveness.  A  plausible  conclusion  to  draw  is  that  breadth  of  coverage  across  the  various 
aspects  of  perceived  organizational  support  is  more  important  than  in  depth  coverage,  at  least  as  it 
relates  to  organizational  justice.  Section  5  will  elaborate  workforce  management  principles  and 
practice  areas  associated  with  perceived  organizational  support.  But  first  we  turn  to  developing  a 
simulation  model  for  what  we  know  so  far. 
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4  Model  of  the  Problem 


This  section  describes  a  simulation  model  of  the  problem  associated  with  employees  being  so  dis¬ 
satisfied  with  the  organization  that  they  become  an  insider  threat  as  a  means  to  further  their  own 
self  interests. 

4.1  System  Dynamics  Background 

System  dynamics  helps  analysts  model  and  analyze  critical  behavior  as  it  evolves  over  time 
within  complex  socio-technical  domains.  It  is  one  of  several  modeling  methods  applicable  to  in¬ 
sider  threat  and  has  been  used  extensively  in  that  domain  [Moore  2016,  Cappelli  2012].  Figure  8 
summarizes  the  notation  used  in  our  system  dynamics  model. 

The  primary  elements  are  variables  of  interest,  stocks  (which  represent  collection  points  of  re¬ 
sources),  and  flows  (which  represent  the  transition  of  resources  between  stocks).  Signed  arrows 
represent  causal  relationships,  where  the  sign  indicates  how  the  variable  at  the  arrow’s  source  in¬ 
fluences  the  variable  at  the  arrow’s  target.  A  positive  (+)  influence  indicates  that  the  values  of  the 
variables  move  in  the  same  direction,  and  a  negative  (-)  influence  indicates  that  they  move  in  op¬ 
posite  directions. 

A  connected  group  of  variables,  stocks,  and  flows  can  create  a  path  that  is  referred  to  as  a  feed¬ 
back  loop.  At  this  stage  in  our  modeling  effort,  we  have  not  identified  any  significant  feedback 
loops. 


Varl 


<Varl> 

+ 

Varl  - >  Var2 


Varl  - >  Var2 


Flowl 


Variable  -  anything  of  interest  in  the  problem  being 
modeled 

Ghost  Variable  -  variable  acting  as  a  placeholder 
for  a  variable  occurring  somewhere  else 

Positive  Influence  -  values  of  variables  move  in  the 
same  direction  (e.g.,  source  increases,  target 
increases) 

Negative  Influence  -  values  of  variables  move  in 
the  opposite  direction  (e.g.,  source  increases,  the 
target  decreases) 

Stock  -  special  variable  representing  a  pool  of 
materials,  money,  people,  or  other  resources 

Flow  -  special  variable  representing  a 
process  that  directly  adds  to  or  subtracts  from 
a  stock 


Cloud  -  source  or  sink  (represents  a  stock 
outside  the  model  boundary) 


Figure  8:  System  Dynamics  Notation 


As  a  convention  in  our  model,  we  format  model  input  variables  with  italics ,  bold,  and  underline 
since  these  variables  can  be  dynamically  manipulated  during  model  execution. 
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4.2  The  Model 


The  core  stocks  and  flows  associated  with  an  employee’s  changing  satisfaction  with  their  employ¬ 
ing  organization  is  shown  in  Figure  9.  We  take  a  simple  view  that  employees  are  either  satisfied 
with  the  organization  or  not,  represented  as  the  two  primary  stocks  involved.  We  assume  that 
newly  hired  employees  may  be  dissatisfied  with  the  organization,  perhaps  as  a  result  of  a  negative 
hiring  or  onboarding  process. 

The  user-settable  variable  percent  satisfied  at  hire  represents  the  percentage  of  those  hired  that 
are  satisfied.  Of  course,  satisfied  employees  can  become  dissatisfied  at  some  rate;  percent  becom¬ 
ing  satisfied  represents  the  percentage  per  month  of  satisfied  individuals  that  become  dissatisfied. 
Likewise,  there  is  a  user-settable  percentage  per  month  of  dissatisfied  individuals  that  become  sat¬ 
isfied;  however,  we  assume  there  is  some  percentage  of  the  workforce  that  is  perpetually  dissatis¬ 
fied  that  is  not  included  in  the  flow  of  employees  becoming  satisfied. 

Finally,  while  employees  leaving  the  organization  may  be  either  satisfied  or  not,  we  expect  a 
larger  percentage  of  dissatisfied  employees  will  leave.  The  next  section  discusses  factors  involved 
with  setting  the  variables  in  the  execution  of  the  model  based  on  existing  data  and  our  project 
analysis. 


Figure  9:  Core  Stocks  and  Flows  in  the  Organizational  Context 


Figure  10  extends  the  model  to  include  the  potential  for  dissatisfied  employees  to  become  dis¬ 
gruntled  and  potentially  become  insider  threat  actors.  We  separate  the  stock  of  disgruntled  insid¬ 
ers  from  the  stock  of  those  that  actually  go  on  to  cause  insider  threat  incidents.  Once  someone 
causes  an  incident,  there  is  no  turning  back;  they  may  be  stopped  from  causing  further  harm,  but 
they  will  forever  be  insider  threat  actors. 
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However,  those  that  are  only  disgruntled  may  get  pulled  back  from  the  brink  either  through  their 
departure  from  the  organization  or  by  their  re-engagement  in  the  mission  of  the  organization.  We 
make  the  following  simplifying  assumptions: 

•  The  rate  of  re-engagement  is  proportional  to  the  rate  of  dissatisfied  employees  becoming  sat¬ 
isfied. 

•  The  rate  of  departure  is  proportional  to  the  rate  of  termination  of  dissatisfied  employees. 

While  these  assumptions  are  debatable,  they  seem  reasonable  for  an  initial  approximation.  We 
discuss  the  interpretation  and  measurement  of  various  aspects  of  the  model  in  the  next  section. 


Figure  1 0:  Emerging  Physics  of  Organization  Dissatisfaction  and  the  Disgruntled  Insider  Threat 


4.3  Model  Settings 

The  model  described  in  the  previous  section  raises  the  question  of  what  the  values  should  be  for 
all  of  the  input  variables  during  model  execution.  We  used  the  following  values  in  model  execu¬ 
tion,  at  least  initially: 

•  percent  satisfied  at  hire  =  90% 

•  percent  satisfied  at  termination  =  20% 

•  percent  becoming  satisfied  =  10%/month 

•  percent  becoming  dissatisfied  =  10%/month 

•  percent  of  workforce  perpetually  dissatisfied  =  5% 

•  percent  becoming  disgruntled  =  10%/month 

•  percent  disgruntled  starting  to  attack  =  0.2%/year 

So  how  did  we  derive  these  values? 

We  started  by  determining  values  from  previous  research  that  we  could  use  with  sufficient  confi¬ 
dence  and  then  directed  our  research  to  determine  reasonable  values  for  other  variables  of  interest. 
We  developed  a  preliminary  version  of  this  model  prior  to  conducting  the  research  described  in 
this  report  and  used  it  to  decide  what  additional  data  to  collect. 
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As  a  starting  point,  we  reviewed  several  studies  that  are  regularly  conducted  to  assess  employee 
attitudes.  Because  of  our  focus  on  the  U.S.  Government,  a  very  important  study  for  us  is  the  Fed¬ 
eral  Employee  Viewpoint  Survey  Results  [OPM  2015].  This  report  shows  that  employee  satisfac¬ 
tion  within  their  organization  has  been  steady  at  about  55%  over  the  past  several  years.  For  sim¬ 
plicity,  we  assume  these  survey  results  mean  that  55%  of  the  employees  are  satisfied  with  their 
organization  and  45%  are  dissatisfied. 

Finally  a  Gallup  study  has  fairly  consistently  found  that  about  18%  of  the  workforce  is  actively 
disengaged,  which  means  that  the  employee  is  “more  or  less  out  to  damage  their  company”  [Gal¬ 
lup  2013].  This  actively  disengaged  employee  is  also  what  we  refer  to  as  the  disgruntled  insider  in 
the  model.  The  values  for  the  input  variables  listed  above  were  derived  by  a  combination  of  iden¬ 
tifying  plausible  values  and  getting  the  percentages  in  the  previous  paragraph  to  work  out  as  a  re¬ 
sult.  We’ll  describe  the  application  of  sensitivity  (Monte  Carlo)  simulation  in  the  next  section  to 
analyze  the  behavior  of  the  model  over  a  range  of  parameter  values  that  represent  the  uncertainty 
associated  with  those  values. 

4.4  Model  Execution 

Simulation  results  are  described  with  respect  to  a  model  equilibrium,  which  is  shown  in  simula¬ 
tion  graphs  as  a  “baseline”  simulation  run.  The  equilibrium  of  the  model  described  in  this  paper 
ensures  that  the  rate  of  change  of  all  stocks  remain  at  a  constant  value  (possibly  zero).  In  equilib¬ 
rium,  a  model  is  easier  to  experiment  with  since  the  analyst  can  more  easily  determine  how  small 
changes  in  input  affect  the  overall  behavior  of  the  simulation.  Any  change  in  behavior  (as  seen  in 
the  behavior-over-time  graphs)  can  be  attributed  to  that  single  changed  input  and  only  that 
change.  It  is  analogous  in  scientific  experiments  to  keeping  all  variables  constant  (i.e.,  the  inde¬ 
pendent  or  controlled  variables)  except  the  ones  being  studied  (i.e.,  the  dependent  variables). 

The  baseline  run  of  our  model  represents  an  organization  with  the  percentages  of  the  total  work¬ 
force  described  above:  specifically,  about  55%  of  the  employees  are  satisfied  with  the  organiza¬ 
tion,  45%  dissatisfied,  and  18%  disgruntled.  These  simulation  results  are  shown  in  Figure  1 1  and 
Figure  12  below.  The  simulated  size  of  the  organization  is  somewhat  arbitrary,  but  in  this  execu¬ 
tion  is  about  1 ,000  people. 
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Employee  Satisfaction  Levels 
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Figure  1 1:  Employee  Satisfaction  Levels6 
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Figure  12:  Employee  Classification  Levels 


Figure  13  shows  the  accumulation  of  insider  threat  incidents  under  the  above  conditions.  The 
baseline  run  shows  about  6  incidents  occurring  over  a  20-year  period.  The  major  factor  here, 
given  our  assumptions,  is  the  variable  percent  disgruntled  starting  to  attack.  This  variable  is  set 


This  behavior-over-time  graph  was  generated  using  the  Vensim  modeling  tool.  The  X-axis  for  the  graphs  is 
specified  in  months  (240  months — twenty  years — is  the  duration  of  this  simulation).  The  legend  below  the  graph 
shows  each  variable  and  the  name  of  the  simulation  run  graphed  in  the  format  “variable:  simulation  run”.  The 
variable  simulation  runs  are  distinguished  with  a  number  label  (1  and  2  in  Figure  13)  and  in  color  copies  also 
specified  in  the  legend  below  the  graph. 
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at  0.2%  per  year.  Put  another  way,  every  year  0.002  Disgruntled  Insiders  are  responsible  for  in¬ 
sider  threat  incidents.  In  equilibrium,  there  are  about  150  disgruntled  insiders,  so  this  is  about  1 
incident  every  3-1/3  years,  accumulating  to  about  6  over  20  years. 


Figure  13:  Individuals  Responsible  for  Insider  Threat  Incidents 

The  simulation  run  named  “50%  satisfaction  improvement”  shows  that  the  number  of  insider 
threat  incidents  drops  in  half  over  the  twenty-year  timeframe  of  the  simulation  when  the  rate  of 
employees  becoming  dissatisfied  drops  by  50%  and  the  rate  of  employees  becoming  satisfied  in¬ 
creases  by  50%. 

This  change,  possibly  due  to  workforce  management  practices  to  improve  employee  attitudes 
about  their  satisfaction  with  the  organization,  takes  place  in  the  simulation  at  month  three,  moving 
the  accumulation  of  insider  threat  incidents  off  its  baseline  trajectory  to  fewer  such  incidents.  Of 
course,  the  actual  decline  is  very  sensitive  to  both  the  percentage  improvement  as  well  the  per¬ 
centage  of  disgruntled  employees  starting  to  attack. 
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Figure  14  shows  the  potential  decline  in  incidents  for  various  values  of  these  two  variables  as  a 
three-dimensional  surface. 


Number  of  Insider  Incidents  After  20  Years 
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Figure  14:  Sensitivity  Simulation  Results  on  Insider  Threat  Incidents 

We  can  now  extend  the  model  to  better  understand  the  cost  savings  from  efforts  to  improve  em¬ 
ployees’  satisfaction  with  the  organization.  In  the  upper  right  corner  of  the  model  extension 
shown  in  Figure  15,  we  include  model  variables  to  estimate  the  number  of  counterproductive 
work  behaviors  of  satisfied  employees  and  a  multiplier  of  that  number  of  behaviors  for  dissatis¬ 
fied  employees.  Costs  are  estimated  both  as  a  cost  per  counterproductive  work  behavior,  in  terms 
of  lost  productivity,  and  the  costs  associated  with  insider  threat  incidents. 

The  following  values  are  assumed  for  these  variables  in  our  analysis: 

•  CWB  per  satisfied  =  0.5  CWB/month 

•  multiplier  CWB  rate  per  dissatisfied  =  4.0 

•  cost  per  CWB  =  $500 

•  cost  per  incident  =  $1M 
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Figure  15:  Model  Extension  to  Estimate  Potential  Cost  Savings 


We  calculate  the  yearly  costs  as  the  simple  sum  of  the  costs  of  productivity  loss  due  to  CWBs  and 
the  costs  due  to  disgruntled  insider  threat  incidents.  We  form  a  yearly  cost  index  based  on  the 
costs  associated  with  no  satisfaction  improvement  (i.e.,  where  percent  satisfaction  improvement 
at  month  3  is  0). 


Figure  16  shows  the  decrease  in  relative  cost  from  the  baseline  due  to  various  levels  of  satisfac¬ 
tion  improvement.  For  example,  with  the  505  satisfaction  improvement  that  we  analyzed  previ¬ 
ously,  we  get  a  25%  reduction  in  yearly  costs  associated  with  egregious  insider  threat  incidents 
and  other  counterproductive  work  behaviors. 


Figure 
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5  Positive  Incentive-Based  Principles  and  Practice  Areas 


We  believe  that  continuing  the  research  started  in  this  report  is  critical  to  establishing  and  manag¬ 
ing  effective  insider  threat  programs.  Our  vision  is  the  extension  of  the  traditional  security  ap¬ 
proach  shown  in  Figure  17.  The  right  side  of  the  figure  depicts  the  traditional  approach  focused  on 
negative  incentives  that  restrict  employees  to  prevent  abuse  and  detects  and  punishes  abuse  when 
it  occurs.  This  approach  is  based  on  a  negative  form  of  deterrence  as  promulgated  in  deterrence 
theory,  which  says  that  people  obey  rules  because  they  fear  getting  caught  and  being  punished. 
Restricting,  detecting,  and  punishing  employees  reinforces  the  deterrence  (negative)  of  abuse. 


Balanced  Deterence:  Extending  the  Traditional  Security  Paradigm 
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Figure  1 7:  Extending  the  Traditional  Information  Security  Paradigm 

Our  extension  of  security  through  positive  incentives  is  shown  on  the  left  side  of  the  figure.  In  its 
current  form,  as  supported  by  our  research,  organizational  support  (including  organization  justice) 
is  shown  as  the  foundation  of  positive  deterrence.  With  this  foundation  in  place,  connectedness 
with  coworkers  and  job  engagement  serve  to  strengthen  an  employee’s  commitment  to  the  organi¬ 
zation.  Organization  support  and  connectedness  also  strengthen  overall  engagement  in  a  feedback 
effect. 

This  form  of  positive  deterrence  complements  the  use  of  negative  deterrence  by  reducing  the 
baseline  of  insider  threat  in  a  way  that  can  improve  employees’  satisfaction,  performance,  and 
commitment  to  the  organization.  As  illustrated  in  our  modeling  effort,  fewer  incidents  and  coun¬ 
terproductive  behaviors  reduces  costs  through  fewer  investigations  and  greater  staff  productivity. 
Employing  the  right  mix  and  ratio  of  positive  and  negative  incentives  in  an  insider  threat  pro¬ 
gram  can  create  a  net  positive  for  the  employee — moving  an  insider  threat  program  from  a 
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“big  brother”  program  to  a  “good  employer”  program  that  actually  improves  employees’ 
work  life. 

Figure  1 8  provides  a  breakdown  of  practice  areas  relevant  to  developing  and  retaining  staff  to 
achieve  an  organization’s  mission,  with  a  particular  focus  on  positive  incentives.  The  first  two 
branches  off  the  root  node  at  the  left  side  of  the  figure  involve  workforce  management  practices, 
including  hiring  and  retaining  the  appropriate  staff  with  the  right  job  responsibilities  and  ensuring 
that  they  are  positively  motivated  to  execute  responsibilities  that  support  achieving  the  organiza¬ 
tion’s  mission. 

The  third  branch  acknowledges  the  fact  that  employees  can  act  counter  to  the  organization  mis¬ 
sion  even  if  they  perform  their  job  well  in  other  respects.  This  branch,  which  traverses  the  red 
node  in  the  figure,  makes  this  partitioning  particularly  appropriate  for  guiding  the  development 
and  refinement  of  insider  threat  programs.  The  second  and  third  branches,  in  combination,  show 
that  practices  can  benefit  the  organization  in  terms  of  employee  satisfaction,  performance,  and  re¬ 
tention  as  well  as  reducing  the  insider  threat. 


Figure  18:  Taxonomy  of  Positive  Incentive  Workforce  Management  Practice  Areas 


This  section  describes  practice  areas  that  can  positively  incentivize  employees  in  their  job  and 
work  with  their  employer.  The  first  part  of  this  section  elaborates  the  first  branch  of  Figure  1 8  that 
has  bold  arrows  that  represent  attracting  the  right  staff. 

The  second  part  of  this  section  elaborates  the  second  and  the  third  branches  of  Figure  1 8  that  ter¬ 
minate  with  the  fundamental  practice  areas  associated  with  perceived  organization  support  on  the 
right  side  of  the  figure. 
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We  finish  this  section  with  a  discussion  of  organizational  culture.  (Appendix  C  provides  a  graphic 
of  all  the  practice  areas  integrated  together.)  This  discussion  focuses  on  practice  areas  that  pro¬ 
mote  perceived  organizational  support  because,  as  we  previously  described,  we  believe  that 
achieving  this  perception  to  be  the  foundation  for  other  positive  incentives  an  organization  can 
employ.  Without  that  perception,  all  else  can  be  undermined.  As  a  context  for  our  discussion,  Fig¬ 
ure  1 8  also  shows  other  factors  that  insider  threat  program  managers  should  consider  when  de¬ 
signing  their  programs. 

5.1  Hiring  the  Right  Staff 

Needs  assessment  by  hiring 
^  group  to  develop  job  description 
linked  to  mission 

Establish  values  congruence  criteria 

to  determine  alignment  of 
individuals  with  organization  values 

Structured  interviewing  to 

determine  values  congruence  and 
alignment  with  job  description 

Establish  policies  and  procedures  for 
action  when  employee  values  become 
misaligned  with  organization  values 

Figure  19:  Factors  Involved  in  Hiring  the  Right  Staff 

Establishing  and  maintaining  the  right  workforce  is  a  precondition  of  getting  positive  incentive- 
based  practices  to  work  well.  Congruence  of  values  between  employees  and  the  organization  in¬ 
herently  promotes  perceptions  of  organizational  support  [Eisenberger  2011,  page  87].  While  back¬ 
ground  checks  and  reference  checks  are  common  practices,  some  organizations  may  decide  to 
conduct  psychometric,  personality,  or  background  tests  as  a  condition  of  employment  if  the  sector 
in  which  the  organization  operates  permits  it.  For  federal  government  organizations,  government- 
sponsored  labs,  and  contractors,  the  ability  to  obtain  a  security  clearance  involving  extensive 
background  checks  may  be  a  condition  of  employment. 

The  hiring  process  usually  starts  with  a  needs  assessment  conducted  with  the  hiring  group,  possi¬ 
bly  facilitated  by  the  HR  department.  A  job  description  is  the  likely  work  product  used  in  struc¬ 
tured  interviews  of  job  candidates.  Competency-based  interviewing  can  be  a  good  way  to  solicit 
and  verify  the  candidate’s  qualifications,  including  both  social  skills  and  technical  capabilities. 
(See  the  Loominger  competencies  [Jantti  2012].)  If  the  job  description  reflects  the  skills  and  capa¬ 
bilities  needed  and  its  contribution  to  the  organization’s  mission,  then  a  good  employee  match 
with  the  job  description  should  ensure  the  person’s  ability  to  fulfil  the  job  responsibilities. 

There  are  usually  more  options  available  other  than  termination  in  the  case  of  an  employee  who 
becomes  dissatisfied  with  their  job  (e.g.,  adjusting  their  responsibilities  and/or  moving  to  another 


Attract  new  staff  to 
execute  job  responsibilities 
linked  to  mission 
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team  within  the  organization).  However,  if  an  employee’s  values  become  misaligned  with  the  or¬ 
ganization’s  values,  lack  of  resolution  may  require  the  person  to  be  respectfully  but  expeditiously 
ushered  out  of  the  organization. 

5.2  Perceived  Organizational  Support 

Perceived  organizational  support  (POS)  involves  the  extent  to  which  employees  believe  their  or¬ 
ganization  values  their  contributions,  cares  about  their  well-being,  supports  their  socio-emotional 
needs,  and  treats  them  fairly.  A  foundation  of  POS  is  social  exchange  theory — a  theory  in  which 
individuals  interact  with  others  and  invest  in  relationships  in  a  way  that  maximally  benefits  them¬ 
selves. 

A  key  concept  is  the  norm  of  reciprocity,  which  has  both  a  positive  and  negative  form.  Positive 
reciprocity  involves  the  actions  of  employees  in  the  interests  of  the  organization  as  a  form  of  re¬ 
payment  (or  obligation  created)  for  favorable  treatment  by  the  organization.  Negative  reciprocity 
involves  misbehaviors  of  employees  performed  because  of  perceived  mistreatment. 

With  these  basic  concepts,  it  is  not  difficult  to  see  how  perceptions  of  organizational  support 
could  influence  insider-threat-related  behaviors.  How  can  an  organization  promote  these  percep¬ 
tions?  As  identified  in  Figure  18  and  elaborated  below,  POS  can  be  encouraged  through  organiza¬ 
tional  justice,  adequate  rewards  and  recognition,  effective  communication,  supportive  manage¬ 
ment,  and  effective  working  conditions  [Eisenberger  2011]. 

Organizational  Justice 


Fair  total 
compensation 


Figure  20:  Factors  Involved  in  Organizational  Justice 
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Past  research  shows  that  employees’  sense  of  fair  treatment  by  the  organization  is  the  strongest 
determinant  of  POS  [Eisenberger  2011].  Organizational  justice  involves  three  types  of  justice: 

•  Distributive  justice  involves  fairness  of  the  distribution  of  resources  within  the  organization, 
either  tangible  forms,  such  as  payment  and  rewards,  or  intangible  forms,  such  as  praise  and 
recognition.  For  example,  aligning  salaries  and  benefits  to  comparable  industry  benchmarks 
can  help  facilitate  perceptions  of  fairness. 

•  Procedural  justice  involves  fairness  of  the  processes  and  procedures  in  the  organization  that 
involve  outcomes  important  to  employees.  Employees’  sense  of  organization  support  comes 
from  the  consistency  and  fairness  of  procedures  involving  performance  appraisals,  for  exam¬ 
ple. 

•  Interactional  justice  involves  the  quality  of  treatment  employees  receive  as  the  organization 
makes  decisions  that  affect  them,  such  as  interpersonal  explanation  of  decisions  in  a  respect¬ 
ful  and  informative  way  (sometimes  called  interpersonal  justice  and  informational  justice,  re¬ 
spectively).  For  example,  perceptions  of  interactional  justice  may  depend  on  a  compassionate 
and  flexible  response  to  an  employee’s  request  for  time  off  to  deal  with  an  ailing  parent  or 
child. 

While  feelings  that  an  employer’s  actions  are  fair  and  equitable  may  come  over  many  years  of  an 
employee’s  experience,  involving  the  employee’s  perception  of  the  organization’s  treatment  of 
their  coworkers  and  self,  these  three  types  of  justice  allow  us,  in  our  research,  to  identify  specific 
practices  that  can  bolster  the  employee’s  overall  sense  of  fairness.  Threads  associated  with  these 
justice  types  appear  in  the  following  sections. 


Adequate  Rewards  and  Recognition 
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Figure  21:  Factors  Involved  in  Adequate  Rewards  and  Recognition 
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Some  prominent  research  has  found  that  extrinsic  incentives,  such  as  pay  raises  and  rewards,  can 
reduce  an  individual's  intrinsic  sense  of  satisfaction  and  fulfillment.  However,  in  general,  that  re¬ 
search  only  weakly  links  the  incentive  with  performance.  Beyond  distributive  justice,  rewards  and 
recognition  that  are  strongly  linked  to  performance  can  boost  an  employee's  sense  of  competence 
and  mastery,  which  as  a  result,  increases  perceptions  of  organizational  support.  Organizational  re¬ 
wards  and  recognition,  which  are  discretionary  by  management  or  peers,  have  a  much  greater  ef¬ 
fect  on  feelings  of  organizational  support  than  across-the-board  recognition.  In  addition,  aligning 
salaries  and  benefits  to  comparable  industry  benchmarks  can  help  facilitate  perceptions  of  fair¬ 
ness. 

Making  sure  employees  know  about  the  total  remuneration,  including  benefits,  may  be  important 
especially  where  organizations  are  restricted  in  the  salary  levels  that  can  be  offered.  Promotions 
should  also  be  aligned  across  the  organization  with  the  level  of  employee  responsibility  and  per¬ 
formance. 

Problems  can  occur  in  organizations  where  the  primary  means  of  advancement  is  into  manage¬ 
ment  positions  different  from  the  technical  positions  into  which  employees  are  hired.  Manage¬ 
ment  skills  are  a  discipline  of  their  own;  there  is  no  guarantee  that  technical  people  have  such 
skills.  Creating  a  technical  track  of  advancement  separate  from  the  management  track  can  help 
ameliorate  these  problems. 

Effective  Communication 
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Figure  22:Factors  Involved  In  Effective  Communication 


Management’s  effective  communication  with  employees  starts  from  day  one  of  an  employee’s 
tenure  with  new-employee  orientation  and  mentoring  to  help  establish  the  new  employee’s  posi¬ 
tion  in  the  organization.  Effective  communication  supports  an  employee’s  feelings  of  organiza¬ 
tional  support  during  both  good  and  bad  times.  The  greatest  gains  in  perception  of  organizational 
support  come  when  management  voluntarily  acts  in  favorable  ways  to  employees,  rather  than,  for 
example,  as  a  result  of  contractual  agreements  or  regulations.  However,  management  needs  to 
communicate  the  discretionary  nature  of  their  actions  and  the  benefit  to  the  employees.  Managers 
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should  facilitate  information  sharing  among  and  within  groups,  especially  because  it  helps  em¬ 
ployees’  work  performance. 

Reduction  in  POS  due  to  unfavorable  treatment  may  be  lessened  through  effective  communica¬ 
tion.  For  example,  the  organization  may  justify  the  treatment  as  outside  the  organization’s  control, 
diplomatically  explain  the  legitimacy  of  the  treatment,  or,  in  some  cases,  simply  apologize  for  ad¬ 
mitted  poor  treatment  and  rectify  the  matter  in  the  future.  Transparently  accounting  for  manage¬ 
ment  actions  and  conditions  may  be  the  best  way  to  ensure  employees  feel  fairly  treated.  Up-front, 
explicit  expectation  setting  may  also  help  to  prevent  employees  from  forming  unrealistic  expecta¬ 
tions  that  will  ultimately  fail  to  be  fulfilled. 

Employees’  sense  of  organization  support  also  comes  from  consistency  and  fairness  of  the  proce¬ 
dures  involving  performance  appraisals,  which  rely  on  managers’  effective  communication.  Of 
course,  performance  improvement  plans  may  be  necessary,  but  should  be  conducted  construc¬ 
tively  with  a  focus  on  the  positive  aspects  of  employee  performance,  rather  than  dwelling  on  the 
negative  aspects. 

Fair  grievance  and  conflict  resolution  procedures  should  be  in  place  to  address  issues  as  they 
come  up.  For  individuals  reluctant  to  express  their  concerns,  anonymous  commenting  procedures 
may  serve  a  useful  purpose.  Managers  need  to  both  effectively  communicate  to  and  facilitate 
communication  from  employees. 

Supportive  Management 
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Figure  23:Factors  Involved  in  Supportive  Management 


For  the  purposes  of  this  report,  supportive  management  deals  mostly  with  interactional  justice  as¬ 
sociated  with  the  treatment  employees  receive  from  their  direct  supervisors.  Supervisors  need  to 
know  their  direct  reports  well  to  make  informed  decisions  regarding  their  work  assignments  and 
daily  work  execution.  Making  sure  employees  have  the  resources  needed  to  execute  task  demands 
is  essential.  Providing  these  resources  and  opportunities  for  professional  development  chosen  by 
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the  employee  facilitates  the  employees’  feelings  of  mastery  of  their  domain  of  interest,  job  en¬ 
gagement,  and  support  by  the  organization  in  furthering  their  careers. 

Employees  that  perform  well  can  be  given  opportunities  to  identify  and/or  participate  in  special 
projects,  as  long  as  those  opportunities  are  available  to  all  employees.  Supportive  supervisors  can 
grant  an  employee  a  level  of  autonomy  commensurate  with  that  employee’s  experience  and  com¬ 
petence.  Employees  interested  in  the  work  of  other  teams  can  be  given  the  opportunity  to  work  on 
joint  projects  or  rotate  to  other  teams  in  the  organization  in  which  they  have  an  interest. 

Supportive  management  also  pertains  to  times  when  the  employee  is  experiencing  difficulties.  As 
mentioned,  perceptions  of  interactional  justice  may  depend  on  a  supervisor’s  compassionate  and 
flexible  response,  for  example,  to  an  employee’s  request  for  time  off  to  deal  with  medical  issues. 
When  problems  arise  with  an  employee’s  performance,  appreciative  inquiry  can  be  a  way  to  focus 
and  build  on  what  is  going  well — a  much  more  self-affirming  and  effective  approach  than  focus¬ 
ing  on  what  is  going  wrong  [Whitney  2010]. 

Workload  balancing  may  be  necessary  in  cases  where  high  performers  are  executing  more  than 
their  fair  share  of  the  work  across  employees  of  comparable  levels.  Another  problem  arises  when 
employees  are  split  across  so  many  projects  that  the  overhead  associated  with  context  switching 
degrades  performance  or  just  makes  the  job  miserable.  Rightsizing  the  number  of  projects  per  per¬ 
son  can  improve  employees’  feelings  of  organizational  support.  The  organization  should  provide 
and  managers  should  encourage  employee  assistance  programs  to  help  with  difficulties  both  per¬ 
sonal  and  professional. 


Effective  Working  Conditions 
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Figure  24:  Factors  Involved  in  Effective  Working  Conditions 


Issues  dealt  with  previously,  such  as  management  supportiveness  and  organizational  communica¬ 
tion,  certainly  influence  the  quality  of  the  overall  work  environment.  However,  many  working 
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conditions  are  so  ingrained  in  an  organization’s  way  of  doing  things  that  they  may  be  barely  no¬ 
ticeable  to  management.  These  conditions  may  actually  be  part  of  the  culture  of  the  organization, 
which  the  next  section  discusses  in  detail. 

Effective  working  conditions  deal  with  issues  that  may  receive  little  attention.  However,  unless 
they  are  explicitly  acknowledged,  they  may  leave  some  employees  feeling  unsupported.  These 
implicit  working  conditions  vary  greatly  by  organization,  but  may  include  bigger  issues,  such  as 
terms  of  employment,  work-hour  or  location  flexibility,  and  work-family  policies,  or  smaller  is¬ 
sues  such  as  acceptable  office  temperature.  Some  of  these  issues  may  be  flexibly  addressed  by 
lower  level  managers.  However,  if  they  are  ingrained  in  culture  and  policy,  they  may  present  big¬ 
ger  obstacles  to  employees.  Organizations  need  to  consider  the  many  potential  issues  involving 
working  conditions  in  creating  an  environment  that  is  supportive  to  employees. 

5.3  Sociocultural  Considerations 

Sociocultural  considerations  at  the  individual,  group,  and  organizational  levels  are  also  pertinent 
to  the  successful  adoption  of  positive  incentives  that  reduce  the  insider  threat.  This  importance  is 
due,  in  part,  to  the  diverse  cultural  backgrounds  of  the  individuals  employed  by  organizations  as 
well  as  the  culture  and  subcultures  of  the  organization  and  its  subunits. 

Today,  the  workforce  employed  by  organizations  in  the  United  States  commonly  includes  individ¬ 
uals  who  were  born  and  reared  outside  the  city,  state,  and  region  of  the  organization’s  location  as 
well  as  outside  the  United  States.  According  to  the  Bureau  of  Labor  and  Statistics,  in  2014,  16.6% 
of  those  employed  (16  years  old  and  over)  were  foreign  bom.7  The  majority,  30.7%,  of  the  for¬ 
eign-born  were  employed  in  the  fields  of  management,  professional,  and  related  occupations. 

The  cultural  diversity  of  the  workforce  has  created  organizations  that  can  be  described  as  being 
culturally  heterogeneous.  This  cultural  heterogeneity  may  require  organizations  to  consider  the 
cultural  composition  of  the  workforce  and  the  culturally  relevant  motivators  that  encourage  em¬ 
ployees  to  act  consistent  with  their  interest.  For  example,  cultural  variations  in  communication, 
concepts  of  time,  and  degree  of  individualism  and  collectivism  adopted  from  their  birth  countries 
may  directly  impact  how  individuals  and  groups  consume  and  interpret  workforce  management 
practices. 

When  communicating,  meaning  and  context  cannot  be  decoupled,  and  it  is  important  for  manage¬ 
ment  to  examine  meaning  and  context  together.  The  high-low  context  continuum  created  by  Hall 
in  1976  considers  both  meaning  and  context,  and  places  cultures  along  a  dimension  spanning  from 
high  context  to  low  context  [Hall  1976].  This  continuum  provides  insights  for  understanding  cul¬ 
turally  significant  differences  between  cultures  and  communication. 

In  high-context  cultures,  cultural  knowledge  is  implicit,  and  contextually  bound  non-verbal  as¬ 
pects  of  communication  are  as  important  as  is  the  silence  that  accompanies  the  explicit  verbal 
code  (i.e.,  the  words  themselves).  The  focus  of  the  high-context  culture  is  people  and  relationships 
and,  through  these  relationships,  an  understanding  of  the  non-verbal  aspects  of  communication 
find  meaning.  In  a  low-context  culture,  knowledge  is  explicit  and  communication  in  both  written 
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and  spoken  form  is  explicit  and  based  on  direct  statements.  In  low-context  cultures,  the  listener 
understands  the  message  as  it  was  intended  [Hall  1976]. 

How  people  perceive  and  organize  time  and  space  is  a  sociocultural  construct  that  influences  our 
daily  lives — how  we  interact  with  others  and  how  we  perceive  our  past  and  future.  Based  on  eth¬ 
nographic  research,  Hall  proposed  two  variant  solutions  of  how  time  and  space  are  culturally  or¬ 
ganized — monochromic  and  polychromic  time.  Cultures  with  polychromic  tendencies  view  time 
as  something  that  is  fluid,  flexible,  and  adjustable  to  fit  the  needs  of  the  individual  or  group.  In 
monochromic  cultures,  time  is  viewed  as  something  that  is  structured  and  can  be  compartmental¬ 
ized  and  wasted  [Hall  1976].  Tardiness  to  meetings,  pre -meeting  conversation,  or  interruptions  are 
acceptable  in  polychromic  cultures,  while  it  is  considered  unacceptable  in  monochromic  cultures. 

Broad  generalizations  about  the  sociocultural  construct  of  a  country  can  be  found  in  Hofstede’s 
dimensions  of  individuals  and  collectivism.  Individualism  and  collectivism  each  represent  a  set  of 
distinguishing  values;  a  position  on  the  dimension  reflects  a  focus  of  either  “I”  (the  individual)  or 
“we”  (the  collective  group).  On  a  scale  of  0  to  1 00,  the  most  collectivistic  countries  are  closest  to 
0,  and  those  with  high  individualistic  traits  are  closer  to  100. 

Interpersonal  relationships  and  trust  are  important  to  all  aspects  of  life  in  high-context  and  collec¬ 
tivistic  societies.  Behavior  in  collectivistic  societies  is  governed  by  in-group  norms  with  a  focus 
toward  the  good  of  the  collective  group  versus  the  good  of  the  individual.  Collectivistic  cultures 
value  a  sense  of  self-respect  and  having  the  acceptance  and  approval  of  one’s  peers,  supervisors, 
and  family  members.  Conflict  can  arise  from  the  violation  of  boundaries,  norms  of  group  loyalty 
and  commitment,  reciprocal  obligations,  and  trust.  When  dealing  with  conflicts  or  problems,  high- 
context,  collectivistic  societies  focus  on  the  social  aspects  and  implications  of  a  problem  [Guess 
2004].  According  to  Guess,  members  of  these  societies  value  security  (of  the  group),  are  more 
risk-avoiding,  and  follow  passive,  collaborative,  and  avoidance  strategies. 

In  summary,  when  organizations  design  and  deploy  positive  incentives,  they  should  consider  the 
sociocultural  composition  of  the  workforce.  This  consideration  ensures  their  practices  provide 
motivators  for  individuals  and  groups  with  high-context,  polychromic  collectivistic  tendencies 
and  low-context,  monochromic,  and  individualistic  tendencies.  For  example,  individuals  with 
high-context,  polychromic,  and  collectivistic  tendencies  might  respond  best  to  practices  that  illus¬ 
trate  the  positive  benefits  to  the  group  and  the  long-term  impacts.  Individuals  with  low-context, 
monochromic,  and  individualistic  tendencies  might  respond  best  to  practices  that  illustrate  the 
positive  to  the  individual  and  include  short-  and  long-term  impacts. 
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6  Conclusions  and  Future  Work 


Traditional  insider  threat  management  involves  practices  that  constrain  users,  monitor  their  be¬ 
havior,  and  detect  and  punish  misbehavior.  Such  negative  incentives  attempt  to  force  employees 
to  act  in  the  interests  of  the  organization  and,  when  relied  on  excessively,  can  result  in  negative 
unintended  consequences  that  exacerbate  the  threat. 

Positive  incentives  that  attempt  to  attract  employees  to  act  in  the  interests  of  the  organization  can 
complement  negative  incentives.  We  identified  and  analyzed  three  avenues  for  aligning  the  inter¬ 
ests  of  the  employee  and  the  organization:  job  engagement,  perceived  organizational  support,  and 
connectedness  with  coworkers.  This  report  describes  research  that  provides  evidence  that  a  partic¬ 
ular  set  of  positive  incentives  focused  on  increasing  organizational  support  to  employees  can  re¬ 
duce  the  insider  threat. 

In  summary,  this  report  describes  our  research  progress  in  several  areas: 

•  Analyzing  several  high-profile  insider  incidents  for  the  levels  of  job  engagement,  coworker 
connectedness,  and  perceived  organization  support  evident  during  the  incident  timeline.  Per¬ 
ceived  organizational  support  was  found  to  be  extremely  negative,  while  job  engagement  and 
coworker  connectedness  were  found  to  be  low,  but  not  necessarily  in  the  extreme.  These  inci¬ 
dent  case  studies  suggested  focusing  on  organizational  support  in  our  survey  research. 

•  Conducting  a  survey  of  individuals  responsible  for  establishing  insider  threat  programs  in 
organizations.  Supporting  and  extending  previous  research,  we  found  a  negative  correlation 
between  perceived  organizational  support  and  intentional  (primarily  malicious)  counterpro¬ 
ductive  work  behaviors.  A  somewhat  weaker  negative  correlation  was  also  found  between  or¬ 
ganizational  justice  and  these  behaviors.  The  relationships  were  found  to  be  statistically  sig¬ 
nificant  at  the  95%  confidence  level.  However,  the  exploratory  nature  of  our  initial  analysis 
does  not  permit  us  to  generalize  this  relationship  to  the  larger  population  of  organizations. 

•  Developing  a  simulation  model  that  illustrates  the  value  of  positive  incentives.  We  developed 
a  system  dynamics  model  based  on  published  data  and  simple  (but  arguable)  assumptions 
showing  how  positive,  intrinsic  incentives  can  increase  a  program’s  operational  efficiency 
with  reduced  investigative  costs  and  fewer  incidents  involving  disgruntled  or  exploitive  insid¬ 
ers.  Our  incident  analysis  and  survey  work  provided  validation  of  the  simulation  model  struc¬ 
ture  (i.e.,  the  stock  and  flow  structure  of  the  system  dynamics  model).  We  will  continue  to 
calibrate  our  model  based  on  future  research  and  expect  to  demonstrate  similar  benefits  as  our 
work  progresses. 

Our  research  raises  many  questions  about  how  an  insider  threat  program  can  or  should  incorporate 
positive  incentives  that  improve  employees’  perceptions  of  support  by  the  organization.  We  elab¬ 
orate  important  principles  and  practice  areas,  but  this  is  just  a  first  step.  Our  future  work  will  fo¬ 
cus  on  what  we  believe  to  be  the  key  to  a  successful  insider  threat  program:  identifying  the  mix  of 
positive  and  negative  incentives  that  creates  a  net  positive  for  employees. 

The  challenge  is  that  people  respond  to  negative  incentives  differently  depending  on  the  culture  of 
the  organization,  the  nature  of  their  job,  and  their  personality.  Fortunately,  existing  theory  pro¬ 
vides  insight  into  these  differences  and  can  illuminate  a  means  for  building  a  general  transition 
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process  to  take  an  organization  from  its  current  state  to  one  that  has  a  balance  of  positive  and  neg¬ 
ative  incentives  that  promotes  employee  satisfaction,  performance,  and  retention  while  also  being 
more  effective  at  reducing  the  insider  threat. 
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Appendix  A  Scales  Used  in  Incident  Coding 


Perceived  Organizational  Support  Scale  [Eisenberger  1986] 
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Figure  25:  Perceived  Organizational  Support  Scale 


To  what  extent  would  the  subject  of  the  incident  agree  or  disagree  with  the  following  statements 
about  the  victim  organization? 

1 .  The  organization  values  my  contribution  to  its  well-being. 

2.  The  organization  appreciates  the  extra  effort  I  give. 

3.  The  organization  would  respond  to  complaints  I  might  have. 

4.  The  organization  really  cares  about  my  well-being. 

5.  The  organization  would  notice  if  and  when  I  do  exceptional  work. 

6.  The  organization  cares  about  my  general  satisfaction  at  work. 

7.  The  organization  shows  concern  for  me. 

8.  The  organization  takes  pride  in  my  accomplishments  at  work. 
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Job  Engagement  Scale  [Schaufeli  2006] 
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dedicated,  absorbed  at 
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through  the  day, 

(eg,  performs 

does  not  put  any 

work  and  in  job  most  of 

depression,  late  with 

putting  time  in  only) 

adequately  while  on 

extra  effort  beyond 

the  time) 

assignments  or 
complete  non¬ 
performance, 
disrupting  others' 
work) 

job  but  watches  clock 
and  doesn’t 
volunteer) 

normal  work  hours) 

Figure  26:  Job  Engagement  Scale 


For  the  incident  in  question,  to  what  extent  do  you  agree  or  disagree  with  the  following  statements 
about  the  subject’s  job  in  the  victim  organization?  (Note:  questions  1-3  are  about  the  employee’s 
vigor  in  their  job;  questions  4-6  are  about  the  employee’s  dedication  to  their  job;  and  questions  7- 
9  are  about  the  employee’s  absorption  in  their  job.) 

1 .  At  work,  I  feel  bursting  with  energy. 

2.  At  my  job,  I  feel  strong  and  vigorous. 

3.  When  I  get  up  in  the  morning,  I  feel  like  going  to  work. 

4.  I  am  enthusiastic  about  my  job. 

5.  My  job  inspires  me. 

6.  I  am  proud  of  the  work  that  I  do. 

7.  I  feel  happy  when  I  am  working  intensely. 

8.  I  am  immersed  in  my  work. 

9.  I  get  carried  away  when  working. 
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Connectedness  with  Coworkers  Scale  [Brien  2012,  Malone  2012] 


-2 

A 

1 

0 

1 

1 

+2 

w 

Strongly  Disagree: 

1 

Disagree: 

1 

Neither  Agree  nor 

1 

Agree: 

• 

Strongly  Agree: 

Antagonistic  with 

Conflict  with 

Disagree: 

Mostly  Professional 

High  Level  of 

Coworkers 

Coworkers 

Isolated  from 

with  Coworkers 

Connectedness 

(eg,  lack  of  relations 

(eg,  minimal  relations 

Coworkers 

(eg,  friendly  with 

(eg,  friends  with 

needed  to  do  job, 

with  some  conflict 

(eg,  maintaining 

coworkers  but 

coworkers  including 

lots  of  conflict 

that  disrupts  work) 

some  relations  to  do 
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Figure  27:  Connectedness  with  Coworkers  Scale 


For  the  incident  in  question,  to  what  extent  do  you  agree  or  disagree  with  the  following  statements 
about  the  subject’s  connection  with  coworkers  in  the  victim  organization? 

1 .  When  I’m  with  the  people  from  my  work  environment,  I  feel  understood. 

2.  When  I’m  with  the  people  from  my  work  environment,  I  feel  heard. 

3.  When  I’m  with  the  people  from  my  work  environment,  I  feel  as  though  I  can  trust  them. 

4.  When  I’m  with  the  people  from  my  work  environment,  I  feel  I  am  a  friend  to  them. 

5.  When  I’m  with  the  people  from  my  work  environment,  I  feel  included. 

6.  I  have  close  bonds  with  the  people  from  my  work  environment. 

7.  I  feel  accepted  by  the  people  from  my  work  environment. 

8.  I  have  a  sense  of  belonging  in  my  work  environment. 

9.  I  have  a  place  at  the  table  with  others  in  my  work  environment. 

10.  I  feel  connected  with  others  in  my  work  environment. 
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Appendix  B  Survey  Components 


Organizational  Justice  [Moorman  1991] 


Items 

Distributive  justice 

My  work  schedule  is  fair. 

I  think  that  my  level  of  pay  is  fair. 

I  consider  my  work  load  to  be  quite  fair. 

Overall,  the  rewards  I  receive  here  are  quite  fair. 

1  feel  that  my  job  responsibilities  are  fair. 

Formal  procedures 

Job  decisions  are  made  by  the  general  manager  in  an  unbiased  manner. 

My  general  manager  makes  sure  that  all  employee  concerns  are  heard  before 
job  decisions  are  made. 

To  make  job  decisions,  my  general  manager  collects  accurate  and  complete 
information. 

My  general  manager  clarifies  decisions  and  provides  additional  information 
when  requested  by  employees. 

All  job  decisions  are  applied  consistently  across  all  affected  employees. 

Employees  are  allowed  to  challenge  or  appeal  job  decisions  made  by  the 
general  manager. 

Interactional  justice 

When  decisions  are  made  about  my  job,  the  general  manager  treats  me  with 
kindness  and  consideration. 

When  decisions  are  made  about  my  job,  the  general  manager  treats  me  with 
respect  and  dignity. 

When  decisions  are  made  about  my  job,  the  general  manager  is  sensitive  to 
my  personal  needs. 

When  decisions  are  made  about  my  job,  the  general  manager  deals  with  me  in 
a  truthful  manner. 

When  decisions  are  made  about  my  job,  the  general  manager  shows  concern 
for  my  rights  as  an  employee. 

Concerning  decisions  made  about  my  job,  the  general  manager  discusses  the 
implications  of  the  decisions  with  me. 

The  general  manager  offers  adequate  justification  for  decisions  made  about  my 
job. 

When  making  decisions  about  my  job,  the  general  manager  offers  explanations 
that  make  sense  to  me. 

My  general  manager  explains  very  clearly  any  decision  made  about  my  job. 
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Survey  of  Perceived  Organizational  Support  (SPOS)  [Eisenberger  1986] 


1. * *  The  organization  values  my  contribution  to  its  well-being. 

2. *  If  the  organization  could  hire  someone  to  replace  me  at  a  lower  salary  it  would  do  so.  (R) 

3. *  The  organization  fails  to  appreciate  any  extra  effort  from  me.  (R) 

4. *  The  organization  strongly  considers  my  goals  and  values. 

5.  The  organization  would  understand  a  long  absence  due  to  my  illness. 

6. *  The  organization  would  ignore  any  complaint  from  me.  (R) 

7. *  The  organization  disregards  my  best  interests  when  it  makes  decisions  that  affect  me.  (R) 

8. *  Help  is  available  from  the  organization  when  I  have  a  problem. 

9. *  The  organization  really  cares  about  my  well-being. 

1 0.  The  organization  is  willing  to  extend  itself  in  order  to  help  me  perform  my  job  to  the  best  of  my  ability. 

1 1 .  The  organization  would  fail  to  understand  my  absence  due  to  a  personal  problem.  (R) 

12.  If  the  organization  found  a  more  efficient  way  to  gel  my  job  done  they  would  replace  me.  ( R) 

1 3.  The  organization  would  forgive  an  honest  mistake  on  my  part. 

14.  It  would  take  only  a  small  decrease  in  my  performance  for  the  organization  to  want  to  replace  me.  (R) 

15.  The  organization  feels  there  is  little  to  be  gained  by  employing  me  for  the  rest  of  my  career.  (R) 

1 6.  The  organization  provides  me  little  opportunity  to  move  up  the  ranks.  (R) 

17. *  Even  if  I  did  the  best  job  possible,  the  organization  would  fail  to  notice.  (R) 

18.  The  organization  would  grant  a  reasonable  request  for  a  change  in  my  working  conditions. 

19.  If  I  were  laid  off.  the  organization  would  prefer  to  hire  someone  new  rather  than  take  me  back.  (R) 

20. *  The  organization  is  willing  to  help  me  when  I  need  a  special  favor. 

2 1  .*  The  organization  cares  about  my  general  satisfaction  at  work. 

22. *  If  given  the  opportunity,  the  organization  would  take  advantage  of  me.  (R) 

23. *  The  organization  shows  very  little  concern  for  me.  (R) 

24.  If  1  decided  to  quit,  the  organization  would  try  to  persuade  me  to  stay. 

25. *  The  organization  cares  about  my  opinions. 

26.  The  organization  feels  that  hiring  me  was  a  definite  mistake.  (R) 

27. *  The  organization  takes  pride  in  my  accomplishments  at  work. 

28.  The  organization  cares  more  about  making  a  profit  than  about  me.  ( R) 

29.  The  organization  would  understand  if  I  were  unable  to  finish  a  task  on  time. 

30.  If  the  organization  earned  a  greater  profit,  it  would  consider  increasing  my  salary. 

3 1 .  The  organization  feels  that  anyone  could  perform  my  job  as  well  as  1  do.  (R) 

32.  The  organization  is  unconcerned  about  paying  me  what  I  deserve.  (R) 

33.  The  organization  wishes  to  give  me  the  best  possible  job  for  which  I  am  qualified. 

34.  If  my  job  were  eliminated,  the  organization  would  prefer  to  lay  me  off  rather  than  transfer  me  to  a  new  job.  (R) 

35. *  The  organization  tries  to  make  my  job  as  interesting  as  possible. 

36.  My  supervisors  arc  proud  that  I  am  a  part  of  this  organization. 


Note.  (R)  indicates  the  item  is  reverse  scored. 

*  These  items  were  retained  for  the  short  version  of  the  survey. 
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CY-CWB 


On  average,  how  frequently  does  each  non-accidental  employee  behavior  occur  at  your  organization?  Please  estimate  if  you  cannot 
remember. 

Occasionally  =  at  least  once  a  year 
Sometimes  =  at  least  once  every  other  month 
Often  =  at  least  once  a  week 
All  the  time  =  at  least  once  daily  * 

In  your  opinion,  how  often  does  this  employee  behavior  typically  occur  at  your 
organization? 


Purposely  damaging  a  piece  of  equipment  that  the  organization 
owns.  * 

[  —  Please  Select  -- 

Purposely  vandalizing  a  company  website.  * 

[  —  Please  Select  -- 

Purposely  took  a  non-trivial  item(s)  valued  over  $25  without 
permission.  • 

[  —  Please  Select  —  |_^J 

Purposely  reading  sensitive  documents  not  authorized  to  read.  * 

[  —  Please  Select  —  ^ 

Purposely  damaging  someone's  work  product  (reports,  repository, 
blogs,  etc).  * 

[  —  Please  Select  --  [  ▼ 

Purposely  inhibiting  a  coworker's  progress.  * 

|  —  Please  Select  — 

Purposely  logging  into  an  assigned  work  computer  during  business  hours  to  appear 
as  if  working  but  not  actually  working  * 

[  —  Please  Select  --  ^ 

Purposely  producing  work  that  was  low  quality  when  high  quality  work  was  easy 
and  possible.  * 

[  —  Please  Select  — 

Purposely  installing  software  to  harm  organization.  * 

|  —  Please  Select  -- 

Purposely  sending  an  email  to  harm  another  person's  computer.  * 

[  --  Please  Select  —  ▼ 

Purposely  providing  coworkers  with  sensitive  information  for  which  they 
were  not  authorized.  * 

[  —  Please  Select  --  |^j 

Purposely  and  inappropriately  transmitting  employer's  proprietary 
information  internally.  * 

|  -  Please  Select  - 

Purposely  taking  physical  or  electronic  copies  of  employer's  proprietary 
information  upon  resignation.  * 

[  --  Please  Select  - 

Purposely  mislabeling  the  sensitivity  of  emails  and/or  documents.  * 

|  —  Please  Select  —  |^J 

Purposely  violating  an  acceptable-use  policy  for  tools  and  technology.  * 

[  --  Please  Select  —  |^J 

Purposely  violating  a  known  security  policy.  * 

|  --  Please  Select  - 

Purposely  accessing  the  organization’s  network  remotely  in  an  unauthorized  way.  * 

[  --  Please  Select  --  j^j 

Purposely  transmitting  organizational  proprietary  information  externally  without 
authorization.  * 

[  --  Please  Select  --  ^ 

Purposely  committed  an  unauthorized  wiretap  on  their  organization's  conversations. 

(wiretap  =  intercepting  telephone  and  internet  communications  in  an  unauthorized  manner) 

[  --  Please  Select  —  T 

Purposely  disabled  security  controls  without  authorization.  * 

[  --  Please  Select  --  [▼J 

Purposely  plagiarizing  a  co-worker’s  efforts.  * 

[  --  Please  Select  —  \^\ 

Purposely  posting  disgruntled  feelings  towards  their  organization  to  the  external  world 
(email,  social  media,  texts,  etc.).  * 

[  --  Please  Select  --  ’r 
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Appendix  C  Positive  Incentive-Based  Principles  and  Practice  Areas 


Fair  awards  and 
recognition 


Establish  values  congruence  criteria 
to  determine  alignment  of 
individuals  with  organization  values 


Needs  assessment  by  hiring 
group  to  develop  job  description 
linked  to  mission 


Attract  and 
retain  staff  to 
achieve  mission 


Structured  interviewing  to 
determine  values  congruence  and 
alignment  with  job  description 


Establish  policies  and  procedures  for 
action  when  employee  values  become 
misaligned  with  organization  values 


Staff  feel  supported  by 
the  org  in  executing 
their  job  description 


Insider  compromi 
is  detected  and 
mitigated 


At-risk  /nsider 
behaviors  are  detected 
and  mitigated  to 
prevent  compromise 


Insider  compromise 
prevented  through 
negative  incentives 


Insider  compromise 
prevented  through 
perceived  org  support 


Staff  feel  the  distribution  of 
resources  with  the  org  is  fair 
(distributive  justice). 


Insider  compromise 
prevented  through  other 
positive  incentives 


Staff  feel  the  org  is 
fair  and  equitable 


Staff  feel  the  processes  and 
procedures  in  the  organization 
are  fair  (procedural  justice). 

Staff  feel  the  quality  of  their 
treatment  is  respectful  and 
informative  (interactional  justice). 


Fair  compliance  and  ethics 
Fair  task  assortment  reporting  procedures 
and  resourcing 

Fair  conflict  resolution  and 
grievance  procedures 

Fair  performance 
appraisals. 


Staff  feel  the  org 
rewards  well 


Respectful  interpersonal 
treatment 

Transparent  explanations 
for  organizational  actions 


Transparent  criteria  for  promotions, 
rewards,  and  recognition 


Staff  feel  that 
supervisors  support 
them  well 


Staff  feel  that  the 
working  conditions 


Alignment  of  promotions, 
irds,  and  recognition 
across  the  organization 


Regular  employee 
orientation,  mentoring, 
expectation  setting 


Discretionary  and  peer-nominated 
rewards  and  recognition  based  on 
performance 

Effective  communication 
during  normal  course  of 


Effective  communication 
during  potentially 
adverse  events 


Supportive  management 
during  normal  course  of 
business 


Professional  development  for 
furthering  employee  careers 
and  sense  of  mastery 


Providing  intra-  and  inter-group 
information  that  helps  employees 
fulfill  their  responsibilities 

Communicating  the 
discretionary  nature  of  actions 
that  benefit  employees 


Transparent  accounting  for 
organizational  actions  and 
their  impact  on  employee 

Conflict  resolution,  grievance,  and 
anonymous  commenting  procedures 
available  and  encouraged 


Expanding  jobs  according  to 
employee  strengths  and  interests 
with  potential  for  special  projects 


Level  of  autonomy 
commensurate  with  experience 
and  competence 


Flexibility  and  respectfulness  upon 
employee  special  requests  and  needs 


Helping  employees  struggling  with 
work  assignments  through  workload 
balancing  and  project  rightsizing 


Time  Off  and  Leave 


Confidential  employee  assistance 
programs  providing  an  impartial  third- 
party  to  discuss  issues  both  personal 
and  professional 


Figure  28:  Taxonomy  of  Positive  Incentive  Workforce  Management 


SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 

[Distribution  Statement  A:  This  material  has  been  approved  for  public  release  and  unlimited  distribution.] 


44 


Fair  awards  and 
recognition 


ir  task  assignment 
and  resourcing 


Fair  conflict  resolution  and 
grievance  procedures 


Preconditions 
involving  recruiting 
and  hiring  the  right 


Positive 

incentives  promoting 
satisfaction,  performance 
and  retention 


Justice  (Fairness) 


Staff  feel  the  org  is 
i  fair  and  equitable 


Advancement  enabled 
appropriate  for  individual's 
skills  and  abilities 


Transparent  criteria  for  promotions, 
rewards,  and  recognition 


2>- 

Performance 

r 

-Based  Rewards 
and  Recognition 

Effective  communication  - 

Transparent 
and  Respectful 
Communicatio 


Conflict  resolution,  grievance,  and 
anonymous  commenting  procedures 
available  and  encourage 


Professional  development  for 
furthering  employee  careers 
of  mastery 


At-risk  in 
behaviors  are 
and  mitigated 
prevent  compromiSl 


Staff  feel  that 
1  supervisors  support 
them  well 


Staff  feel  that  the 
working  conditions 


Level  of  autonomy 
commensurate  with  experience 
and  competence 


,utonomy 

^^1 

Culture 
and  Working 
Conditions 


Helping  employee* 
work  assignments  through  workload 
balancing  and  project  rightsizing 


Taential  employee  assistance 
^programs  providing  an  impartial  third- 
party  to  discuss  issues  both  personal 
and  professional 


Figure  29:  Positive  Incentive-Based  Practice  Areas 
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